Key developments
Chicago plaintiffs sue over AI voice training
State Journal-Register reported that nine class-action lawsuits were filed in federal court in Chicago against Google, Amazon, Apple, Microsoft, Meta, Adobe, Samsung, ElevenLabs, and NVIDIA. Journalists, podcasters, and voice actors, including Carol Marin and Phil Rogers, allege the companies used recorded voices to train foundational AI models without written consent, violating Illinois' Biometric Information Privacy Act. The complaints say voiceprints are biometric identifiers and that plaintiffs were never told their recordings would be used for AI training or asked for permission.
Why it matters
The cases could set an important precedent on whether voice data used for AI training is protected biometric information.
Sources & driving stories
STATE JOURNAL-REGISTER
State Journal-Register coverageNYC Health and Hospitals breach hits 1.8 million
The Next Web reported that NYC Health and Hospitals disclosed a cyberattack affecting at least 1.8 million people. The organization said attackers had access from about November 25, 2025 until detection on February 2, 2026, and copied files containing medical records, insurance details, billing and payment information, Social Security numbers, passport and driver's licence numbers, fingerprints, palm prints, and precise geolocation data. NYCHHC said the intrusion came through a third-party vendor and reported the matter to the US Department of Health and Human Services.
Why it matters
It is a large-scale health-sector privacy breach involving medical, biometric, and location data.
Sources & driving stories
THE NEXT WEB
The Next Web coverageŠkoda discloses e-commerce customer breach
Escudo Digital reported that Škoda detected unauthorized exploitation of a vulnerability in the software behind its online store during routine security monitoring. The company said the intrusion temporarily exposed customer names, postal addresses, email addresses, phone numbers, order history, and hashed account credentials, while payment card data was not affected because transactions are handled by external providers. Škoda disconnected the store, notified authorities, patched the flaw, and hired digital forensic investigators, though it said logging limits make it hard to prove whether data was exfiltrated or only viewed.
Why it matters
The disclosure shows how an e-commerce software flaw can expose identity and account data even when payment systems stay untouched.
Sources & driving stories
ESCUDO DIGITAL · Alberto Payo
Escudo Digital coverageWorth noting
WORTH NOTING
Netherlands tests home fall sensors
A new pilot places AI sensors inside private residences, highlighting the privacy tradeoff between aging-in-place care and continuous home monitoring.
WORTH NOTING
Revenue warns staff after supplier breach
Irish Revenue told employees not to reuse passwords after a Pitney Bowes ransomware incident put worker contact details at risk.
WORTH NOTING
Excelas breach may expose health data
Edelson Lechtzin LLP is investigating a reported Excelas breach that may have exposed medical and identity information and triggered Massachusetts notice.
Still unclear
OPEN QUESTION
Will Illinois courts treat voices as biometrics?
The Chicago lawsuits hinge on whether voiceprints qualify as biometric identifiers under BIPA, which would shape AI training liability nationwide.
OPEN QUESTION
How much NYCHHC data was actually exfiltrated?
Investigators still have not clarified whether the attackers merely accessed files or also removed them, especially for biometric and geolocation records.