Key developments
NYC Health + Hospitals discloses 1.8M-person breach
NYC Health + Hospitals disclosed a data breach affecting about 1.8 million people. The exposure included PHI and PII such as insurance and policy details, Medicaid and Medicare identifiers, medical record numbers, diagnoses, medications, test results, images, treatment plans, fingerprints, palm prints, Social Security numbers, driver’s license numbers, tax IDs, geolocation data, payment data, and online account credentials. The incident was reported to HHS on March 24, 2026, and the system has begun notifying affected individuals and advising credit freezes, fraud alerts, password changes, two-factor authentication, and phishing precautions.
Why it matters
It exposes medical, biometric, and financial data at massive scale, creating broad identity-theft and care-fraud risk.
Sources & driving stories
CLAIM DEPOT
Claim Depot coveragePublic Amazon bucket exposes 1M+ hotel IDs
Reqrea's Tabiq hotel check-in system left an Amazon cloud storage bucket publicly accessible, exposing more than 1 million passports, driver’s licenses, and selfie verification photos. According to the report, the files dated from early 2020 through the month of discovery, and the bucket was later locked down after researcher Anurag Sen alerted TechCrunch, which then notified the company and Japan's JPCERT. Reqrea says the investigation is still ongoing and that access logs are being reviewed before it notifies affected users.
Why it matters
It shows a single cloud misconfiguration can expose passport-scale identity documents and trigger cross-border notification fallout.
Sources & driving stories
SECURITY AFFAIRS · Pierluigi Paganini
Security Affairs coverageBiometric privacy suits target AI voices, Disney
Nine class-action lawsuits filed in Chicago federal court accuse Amazon, Adobe, Google and Alphabet, Apple, Microsoft, Samsung, Meta, ElevenLabs, and NVIDIA of using journalists' and voice actors' recordings to train AI voice models without written consent under Illinois' BIPA law. In a separate California federal case, a proposed class of Disneyland and Disney California Adventure visitors sued Disney over facial recognition at park entrances, alleging inadequate notice and consent and seeking at least $5 million. Together, the filings show biometric claims moving deeper into AI training and consumer-facing recognition systems.
Why it matters
It suggests biometric privacy disputes are moving into mainstream AI training and consumer recognition systems, not just workplace time clocks.
Sources & driving stories
WJBC AM 1230
WJBC AM 1230 coverageHOLLYWOOD REPORTER · Winston Cho
Hollywood Reporter coverageWorth noting
WORTH NOTING
Illinois facial-surveillance bill stalls
House Bill 5521 missed a committee deadline, pushing the proposed facial-recognition ban out of the current legislative window.
WORTH NOTING
7-Eleven franchisee breach disclosed
The company said unauthorized access hit franchise application records and triggered mailed notices and identity protection offers.
WORTH NOTING
Fidelity breach settlement advances
A proposed $2.5 million settlement tied to the 2024 Fidelity incident now awaits court approval and claim filing deadlines.
Still unclear
OPEN QUESTION
How broad was Tabiq access?
Reqrea says it is still reviewing logs, so the number of outside accesses before lockdown remains unresolved.
OPEN QUESTION
Will courts treat voiceprints as biometrics?
The Chicago BIPA suits depend on whether voice recordings and derived voiceprints qualify as protected biometric identifiers.