Data liability goes mainstream

A phone quietly using your mobile data in the background used to sound like a settings annoyance. In April 2026, it turned into a live claims process tied to a $135 million Google settlement for roughly 100 million United States Android users. (cnet.com) The lawsuit says Android devices sent cellular data to Google even when the phones were idle and users had not given permission. Google denied wrongdoing, but it agreed to a preliminary settlement in January 2026 and the payment site is now open. (cnet.com) The details make this more than a nuisance case. CNET reports Google must update Google Play terms to say some transfers happen passively, ask for consent during setup, and fully stop collection when the “allow background data usage” switch is turned off. (cnet.com) The class is huge because the bar is low: a living person in the United States who used an Android phone with a cellular plan at any point from November 12, 2017 until final approval. The court’s final approval hearing is scheduled for June 23, 2026, and objections or exclusions are due by May 29, 2026. (cnet.com) That is the new shape of data risk for big companies. The cost is no longer just “bad press” after a privacy story; it is settlement cash, rewritten product terms, court deadlines, and a public paper trail that tells users exactly what was happening. (cnet.com) At the same time, the breach side of the same problem is landing in healthcare. CareCloud told the United States Securities and Exchange Commission that unauthorized access on March 16, 2026 disrupted one of its six electronic health record environments for about eight hours. (sec.gov) An electronic health record is the digital chart that follows a patient through clinics, billing systems, and hospitals, so one break-in can expose years of diagnoses, insurance details, and treatment history in one place. CareCloud says it serves more than 45,000 providers across thousands of hospitals and medical practices, covering millions of patients. (techcrunch.com) CareCloud said it restored the affected environment the same evening and believed the hackers were out of its network, but it also said the investigation was still underway and it was not yet known what data, if any, had been taken. The company decided on March 24, 2026 that the incident was material enough to disclose to investors. (sec.gov) (techcrunch.com) Then there is the third version of liability: data as a tool for surveillance. TechCrunch reported on April 8, 2026 that researchers found a hack-for-hire group targeting journalists, activists, and government officials in the Middle East and North Africa with Android spyware and phishing for iCloud backups. (techcrunch.com) That campaign matters because it did not need one giant breach at one company. It worked by pulling data from the devices and cloud accounts people already trusted, including Signal messaging accounts and Apple backup credentials, until a private phone became an intelligence file. (techcrunch.com) Put those three stories together and the pattern is blunt. If a company collects data without clear consent, stores sensitive records in concentrated systems, or leaves cloud accounts easy to phish, the bill now shows up in court filings, breach disclosures, and incident reports instead of in abstract privacy debates. (cnet.com) (sec.gov) (techcrunch.com)