Privacy & Data Case Roundup | April 2026

Compiled from court filings, settlement announcements, and legal reporting

April 2026 Privacy & Data Roundup: TCPA Reform Bill, Dermatology Data Breach Settlement, Pixel Tracking Lawsuits, and the Change Healthcare Fallout

From a proposed overhaul of federal robocall law to fresh pixel-tracking suits targeting household-name brands, April 2026 has been a busy month in the privacy and consumer data litigation space. A $2.4 million medical data breach settlement has also been reached, while Iowa's attorney general is pressing state claims against one of the most consequential healthcare cyberattacks in recent history. Here's what you need to know.

1. Democrats Introduce Bill to Expand TCPA's Definition of Autodialers

Status: Proposed legislation — not yet law

Who's Affected: Consumers who receive unsolicited calls or texts; businesses that use automated outreach

A new Congressional bill introduced in both the House and the Senate would significantly expand the Telephone Consumer Protection Act — including broadening the definition of an "automatic telephone dialing system," or ATDS, which sits at the center of nearly every TCPA class action lawsuit.

According to legal industry reporting from TCPA World, the bill was developed with involvement from the National Consumer Law Center (NCLC) and mirrors prior legislative attempts to walk back the U.S. Supreme Court's 2021 decision in Facebook v. Duguid, which narrowed what qualifies as an autodialer under the TCPA.

The ATDS definition has been fiercely contested for years. Under the current post-Duguid standard, a system must have the capacity to generate random or sequential phone numbers to qualify — a threshold that effectively shielded many modern calling platforms from TCPA liability. The proposed legislation would reportedly expand that definition, potentially bringing a broader range of automated outreach tools back within the law's reach.

The TCPA currently provides statutory damages of $500 per violation and up to $1,500 per willful violation — figures that can compound quickly into class-wide exposure in the tens or hundreds of millions of dollars.

The bill has not yet been signed into law, and its prospects in a divided Congress remain uncertain. However, its introduction signals continued legislative attention on automated consumer communications and the boundaries of TCPA enforcement.

What to watch: Whether the bill advances through committee, and how industry groups respond to the proposed ATDS expansion.

2. Anne Arundel Dermatology Agrees to $2.4 Million Data Breach Settlement

Settlement Amount: $2,400,000

Who May Qualify: Patients whose personal or medical information was exposed in the data breach

Claim Deadline: To be confirmed — check the settlement administrator's website for updates

Anne Arundel Dermatology, a multi-state dermatology practice, has agreed to pay $2.4 million to resolve a consolidated class action lawsuit stemming from a cybersecurity incident, according to reporting from the HIPAA Journal.

The lawsuit alleged that the breach exposed sensitive patient information, including the types of personal and medical data typically maintained in healthcare records. Class action complaints in data breach cases of this nature commonly allege that affected patients faced an increased risk of identity theft, fraud, and the unauthorized disclosure of private health information.

Healthcare data breaches have drawn significant litigation activity in recent years, in part because of the sensitivity of the information involved — medical records can include Social Security numbers, insurance details, treatment history, and financial data.

The $2.4 million settlement, if approved by the court, would be distributed among class members who submit valid claims. Individual payout amounts would depend on the number of claimants, any documented out-of-pocket losses, and the specific terms of the settlement agreement.

Patients who received notice of the breach may be eligible to file a claim. Proof requirements have not been confirmed in publicly available reporting; some data breach settlements allow claims without documentation, while others require evidence of actual harm.

How to claim: Monitor the settlement administrator's website for claim form availability and deadline information.

3. Hilton, LinkedIn, PNC Bank, and Wells Fargo Named in Pixel Tracking Lawsuits

Status: Newly filed class actions — no settlement reached

Who's Affected: Website and app users of the named companies

Four major companies — Hilton Hotels, LinkedIn, PNC Bank, and Wells Fargo — are now facing class action lawsuits alleging they secretly tracked users' online activity through pixel trackers and other embedded technologies without obtaining proper consent, according to reporting from Top Class Actions.

Pixel tracking lawsuits have surged across industries over the past several years. The complaints typically allege that companies embedded invisible tracking pixels — often from third-party platforms such as Meta or Google — on their websites or within their apps, allowing those third parties to collect data about users' browsing behavior, health inquiries, or financial activity.

In the financial services context, the allegations raise particular concerns. The lawsuits against PNC Bank and Wells Fargo allegedly involve the tracking of users who logged into or interacted with banking portals, which plaintiffs contend may have transmitted sensitive financial information to third parties without users' knowledge or consent.

The lawsuit against Hilton allegedly involves tracking of guests' browsing and booking behavior, while LinkedIn faces claims related to user activity on its professional networking platform.

These cases commonly invoke state wiretapping statutes, the California Consumer Privacy Act (CCPA), and other state privacy frameworks. Plaintiffs in pixel tracking cases frequently argue that the interception of communications constitutes a violation of electronic privacy law, even when the data collected may appear routine.

All four lawsuits are in early stages. No settlements have been announced, and the companies have not yet had the opportunity to formally respond to the allegations in court.

What to watch: Whether courts certify these cases as class actions, and how defendants respond to the tracking allegations.

4. Iowa Attorney General Sues Change Healthcare Over 2024 Data Breach

Status: State enforcement action filed March 31, 2026

Who's Affected: Iowa residents — approximately 2.2 million people whose data was allegedly exposed

Iowa Attorney General Brenna Bird has filed a lawsuit against Change Healthcare, the UnitedHealth Group subsidiary at the center of one of the largest healthcare data breaches in U.S. history, according to reporting from Databreaches.net.

Filed on March 31, 2026, the Iowa complaint alleges that Change Healthcare violated state consumer protection and data security laws in connection with a 2024 cyberattack that the lawsuit claims affected nearly 2.2 million Iowa residents. The filing alleges the breach exposed sensitive personal and medical information, causing widespread harm to affected individuals.

Change Healthcare processes a substantial share of U.S. healthcare transactions, and the 2024 attack — attributed to the ALPHV/BlackCat ransomware group — disrupted pharmacy operations, insurance claims processing, and patient care across the country. Federal agencies, including the U.S. Department of Health and Human Services, have scrutinized the company's security practices in connection with the incident.

Iowa's action joins a growing body of state-level enforcement and private class action litigation stemming from the breach. Attorney general lawsuits differ from class actions in that they are brought on behalf of the state, but they can result in penalties, remediation requirements, and restitution for affected residents.

The lawsuit's claims have not yet been adjudicated, and Change Healthcare has not publicly responded to Iowa's specific allegations at the time of this writing.

What to watch: Whether other state attorneys general file similar actions, and how federal investigations into the breach progress alongside private litigation.

Key Takeaways

• TCPA reform is back on the legislative agenda. If the proposed ATDS expansion becomes law, it could dramatically increase exposure for businesses using automated calling and texting platforms — and open the door to a new wave of class action filings.
• Healthcare data breaches continue to drive significant settlement activity. The Anne Arundel Dermatology settlement reflects an ongoing pattern of litigation following medical data incidents, where the sensitivity of patient information tends to support class certification and settlement.
• Pixel tracking litigation is expanding beyond health and media companies. The new lawsuits against financial institutions and a hospitality brand suggest plaintiffs' firms are scrutinizing tracking practices across a wider range of industries.
• State attorneys general are an increasingly active force in data breach accountability. Iowa's lawsuit against Change Healthcare illustrates how state enforcement actions can run parallel to — and potentially amplify — private class action litigation.
• If you received a data breach notification, it may be worth reviewing whether a class action or settlement has been filed in connection with that incident. Settlement deadlines often arrive without additional notice to class members.

Have you been affected by any of the cases covered in this roundup? Share your experience in the comments below.

InjuryClaims.com reports on litigation developments for informational purposes only. Nothing in this article constitutes legal advice. Eligibility for any settlement or lawsuit is determined by attorneys and courts, not by this publication.