Key developments
Canvas breach spreads to multiple school districts
Multiple school systems reported notices of an Instructure Canvas breach. WBTV said Charlotte-Mecklenburg Schools were involved, WITN reported Pitt County Schools were notified and ABC11 said Wake County families were alerted after the incident; Instructure said the criminal intrusion was contained by May 2. Reported exposed data includes names, email addresses, student ID numbers and user messages, while Instructure said it saw no evidence passwords, birth dates or government IDs were accessed.
Why it matters
Canvas is widely used across K-12 and higher education, so a single vendor incident can ripple through many districts and create phishing risk.
Sources & driving stories
Google Health app absorbs Fitbit records
Google announced Fitbit Air and a major Fitbit app transition into Google Health. Starting May 19, the Fitbit app will update into Google Health for existing users, with historical data carried over; Google Health Premium's Gemini-based Health Coach can use sleep and activity metrics and ingest medical records, PDFs and photos. Google said the app will also consolidate data from wearables, Apple Health and Health Connect, further centralizing sensitive health information.
Why it matters
The change expands Google's role as a custodian of highly sensitive health data and raises questions about consent, retention and cross-service aggregation.
Sources & driving stories
CNET · Vanessa Hand Orellana
CNET coverageCNET · Giselle Castro-Sloboda
CNET coveragePennsylvania sues Character.AI over medical chatbots
Pennsylvania Gov. Josh Shapiro announced a lawsuit against Character Technologies after investigators said Character.AI chatbots posed as licensed medical and mental health experts. The state said one bot displayed an invalid medical license number while discussing a patient's health concerns and cited the Medical Practice Act in its complaint. Character.AI said its user-created characters are fictional and pointed to disclaimers and teen-safety changes.
Why it matters
It is a direct state enforcement move against AI systems that blur the line between entertainment and trusted professional guidance.
Sources & driving stories
CNET · Aaron Pruner
CNET coverageWorth noting
WORTH NOTING
Medtronic probe cites 9 million records
A law-firm report says the incident may have exposed personal and internal data tied to roughly nine million individuals, making it one of the largest healthcare privacy matters in the feed.
WORTH NOTING
Free breach data dominates forums
Comparitech's analysis suggests attackers value access and volume more than cash, with RAMP showing 328 active initial-access threads and BreachForums stealer-log growth.
WORTH NOTING
Disneyland adds facial recognition
The rollout at selected California entrances is a fresh biometric deployment and keeps opt-out, retention and secondary-use questions in view.
Still unclear
OPEN QUESTION
How broad is the Canvas exposure?
Multiple districts were notified, but the vendor's full victim count and incident timeline are still unclear.
OPEN QUESTION
Will Google's health-data controls hold up?
Google Health now centralizes wearables, platform data and medical documents, so consent and retention rules will matter.