📋 Case Overview

Coverage Period: February 2026

Cases Covered: 4

Verticals: Data Breach, TCPA, Privacy

Status: Active litigation and settlements

Privacy & Data Breach Lawsuits to Watch: February 2026 Roundup

February 2026 brought a fresh wave of privacy-related legal developments — from a social engineering attack that exposed nearly one million fintech customers to a landmark Google settlement that redraws how the search giant handles your personal data. If your information was caught up in any of these incidents, or if you've been on the receiving end of unwanted text messages, time-sensitive deadlines and legal proceedings may affect your options. Here's what you need to know.

1. Figure Fintech Data Breach — 967,178 Accounts Exposed

Incident Date: January 2026

Breach Confirmed: February 2026

Who May Be Affected: Customers of the fintech lending platform Figure

Data Exposed: Names, email addresses, phone numbers, physical addresses, and dates of birth

According to breach records tracked by HaveIBeenPwned, data obtained from Figure — a prominent fintech lending platform — was publicly posted online in February 2026, exposing over 967,000 unique accounts. The exposed dataset, which dates to January 2026, included names, email addresses, phone numbers, home addresses, and dates of birth.

Figure confirmed the incident, attributing it to a social engineering attack in which an employee was reportedly tricked into granting unauthorized access to internal systems. Social engineering attacks — in which bad actors manipulate employees rather than exploit technical vulnerabilities — have become an increasingly common vector for corporate data breaches.

Class action litigation in data breach cases of this nature typically follows shortly after public disclosure. Individuals whose personal information was exposed may be eligible to participate in any resulting legal proceedings. Affected individuals should monitor their credit and watch for phishing attempts using the exposed personal data.

How to check your exposure: Visit HaveIBeenPwned's Figure breach page and enter your email address to see if your account was included in the breach.

2. Centrelake Medical Group & Des Moines Orthopaedic Surgeons — Healthcare Data Breach Settlements Reached

Status: Settlements Reached

Who May Be Affected: Patients of Centrelake Medical Group (California) and Des Moines Orthopaedic Surgeons (Iowa)

Data Exposed: Medical and personal information (specific data types vary by case)

Class action lawsuits stemming from data breaches at two separate healthcare providers have been resolved through settlement agreements, according to reporting published in February 2026.

Centrelake Medical Group, a California-based imaging and oncology practice, and Des Moines Orthopaedic Surgeons, an Iowa orthopedic care provider, each faced litigation alleging that patient data was inadequately protected. Healthcare data breaches are considered particularly sensitive because exposed records may include not only personal identifiers but also protected health information.

Settlement details, including claim deadlines and potential payout amounts, had not been fully disclosed in available reporting at the time of this publication. Individuals who received notice of either breach should review any settlement communications they may have received and watch for formal claim filing instructions.

How to claim: Affected patients should check for mailed or emailed class notices from settlement administrators. Claim portals are typically established after court approval of settlements.

3. Google Real-Time Bidding Privacy Settlement — Final Approval Granted

Status: Final Approval Granted

Monetary Compensation: None for class members

Who May Be Affected: Google users whose personal data was allegedly auctioned to advertisers

Relief: New privacy controls within Google's ad platform

A federal judge granted final approval to a class action settlement against Google in February 2026, resolving claims that the technology company illegally sold users' personal information through real-time bidding auctions for online ad space, according to reports on the case.

The lawsuit alleged that Google shared users' personal data — including browsing behavior and identifiers — with advertisers bidding for ad placements, without adequate user consent. Google disputed the allegations but agreed to settle.

Notably, the settlement does not include direct monetary payments to class members. Instead, Google agreed to implement new user-facing privacy controls that give individuals greater ability to manage how their data is used in the ad auction process. Courts sometimes approve non-monetary settlements when injunctive relief — changes in company behavior — is deemed to provide meaningful benefit to the class.

How to claim: Because no monetary fund was established, there is no claim form for this settlement. The relief takes the form of new product features rolled out to Google users.

4. Zealthy TCPA Lawsuit — Telehealth Company Accused of Ignoring "Stop" Requests

Status: Active Litigation

Statute: Telephone Consumer Protection Act (TCPA)

Who May Be Affected: Consumers who received unsolicited text messages from Zealthy after requesting to opt out

Potential Damages: Up to $500–$1,500 per text message under the TCPA

A newly surfaced lawsuit alleges that Zealthy, a telehealth and wellness company, continued sending promotional text messages to a consumer even after that consumer repeatedly requested the messages stop — including explicit use of the word "STOP," according to coverage of the case published in February 2026.

Unlike a recently noted trend of "opt-out evasion" suits — where plaintiffs deliberately use indirect language to avoid triggering automated stop systems — this case reportedly involves a consumer who used direct and unambiguous opt-out language. The lawsuit alleges Zealthy continued sending messages regardless.

Under the Telephone Consumer Protection Act, companies are generally required to honor opt-out requests promptly. Failure to do so can expose senders to statutory damages of $500 per message, which can rise to $1,500 per message for willful violations. In cases involving multiple messages, potential damages can accumulate quickly.

Consumers who believe they received unsolicited texts from Zealthy — particularly after requesting to stop receiving them — may wish to consult with a TCPA attorney to understand their options.

How to follow this case: The lawsuit is in early stages. Check back for updates as the litigation progresses.

Key Takeaways

• Social engineering is a growing breach vector. The Figure breach illustrates that hackers don't always need sophisticated technical tools — tricking a single employee can expose nearly one million customer records.
• Healthcare breach settlements are moving. The simultaneous resolution of two separate medical data breach cases signals continued pressure on healthcare providers to secure patient data and respond to litigation.
• Non-monetary settlements are valid outcomes. The Google settlement produced no cash for consumers, but court-approved privacy controls can still represent meaningful class-wide relief.
• "STOP" means stop. The Zealthy lawsuit is a reminder that under the TCPA, businesses have a legal obligation to honor opt-out requests — and ignoring them can be costly.
• Check breach databases. Tools like HaveIBeenPwned allow consumers to check whether their email address was included in known data breaches before formal notification arrives.

Have you been affected by any of the breaches or legal developments covered in this roundup? Share your experience in the comments below.

InjuryClaims.com does not provide legal advice. Information presented here is for educational purposes. Eligibility for any settlement or legal proceeding can only be determined by a qualified attorney.