Digital Privacy & Data Rights — 2026-07-08
The week brought critical incidents affecting healthcare and government infrastructure: AdaptHealth disclosed a June cyberattack exposing patient data via compromised contractor access, while the Council of Europe suffered a 297GB breach after ShinyHunters leaked employee records through a PeopleSoft vulnerability. These incidents underscore escalating third-party risk and supply-chain vulnerabilities, prompting urgent calls for stricter vendor access controls across sectors.
Digital Privacy & Data Rights — 2026-07-08
AdaptHealth Cyberattack Exposes Patient Data via Compromised Contractor Session
- What happened: AdaptHealth disclosed a June cyberattack in which a third-party contractor's user session was compromised within the company's cloud-based system, resulting in unauthorized patient data exposure. The company discovered the breach after the fact and has since notified affected individuals.
- Who's affected: Patient records across AdaptHealth's healthcare delivery operations; the exact number of exposed records has not been publicly disclosed, but the incident involved sensitive personal health information (PHI).
- Why it matters: This breach highlights a critical blind spot in vendor management—attackers are increasingly targeting weak links in supply chains by compromising contractor credentials rather than directly attacking the main organization. AdaptHealth's reliance on a cloud-based system with shared contractor access created a single point of failure that could have been mitigated through stricter session monitoring and access revocation protocols.
Data Breaches & Incidents
Council of Europe — PeopleSoft Vulnerability Exploitation
- Scope: 297GB of data leaked; employee records of over 10,000 staff members exposed
- Root cause: ShinyHunters exploited a PeopleSoft vulnerability after a failed ransom demand
- User action: EU staff should monitor for phishing targeting them personally and check for unauthorized account activity; organization should revoke all user sessions and force password resets across the board
MCBS — Delayed Disclosure of Revenue Cycle Management Breach
- Scope: Over 300,000 individuals' sensitive personal data compromised in incident that occurred last year but was only disclosed this week
- Root cause: Data security incident (specific vector not disclosed in available reports)
- User action: If you or a family member used MCBS healthcare services, check credit reports and monitor for suspicious account activity; file a fraud alert with credit bureaus if needed

Ongoing Ransomware & Supply Chain Attacks
- Scope: Multiple breaches attributed to ShinyHunters group escalating in both frequency and scale across public and private sectors
- Root cause: Unpatched software vulnerabilities, weak access controls, and ransomware-as-a-service operations
- User action: Organizations should audit third-party vendor access immediately, enforce multi-factor authentication on all privileged accounts, and implement continuous session monitoring
Regulatory & Enforcement Actions
No recent FTC, EDPB, or ICO enforcement actions with published decisions dated after 2026-07-01 are available in this week's data. The EDPB's 2026 Coordinated Enforcement Framework focuses on transparency and information obligations under GDPR, with actions ongoing but decisions pending.
Legislation & Policy Moves
- United States — SECURE Data Act (House Republicans): Comprehensive federal privacy bill introduced April 22, 2026; proposes uniform standard to preempt state privacy law patchwork — status: introduced, pending committee review — no current effective date
Advocacy & Civil Society
- IAPP State Privacy Tracker: Monitors U.S. state comprehensive privacy laws; 2026 brings multiple state requirements online (effective Jan 1, 2026) with continued legislative activity — organizations should audit compliance status against their operational states
Industry & Tech Response
No major platform privacy feature announcements or controversial product launches reported this week. Industry focus remains on incident response and vendor access control improvements.
Reader Action Items
- Check if you're affected: Search breach notification databases (e.g., Have I Been Pwned, Privacy Guides breach roundup) for your email address against AdaptHealth, MCBS, and Council of Europe incidents
- Settings to review: If you work in healthcare or use vendor contractor services, audit cloud-based system access logs; enable session activity alerts and enforce automatic session expiration after 30 minutes of inactivity
- Rights you can exercise: File a Subject Access Request (SAR) with any organization that may hold your data to verify what information they store; request deletion of records not required for legal/business purposes under GDPR Article 17 or CCPA §1045
What to Watch Next Week
- Ongoing ShinyHunters campaigns: Expect continued targeting of PeopleSoft and other ERP systems; watch for new ransom demands and data dumps
- Healthcare sector fallout: Additional breaches may surface as organizations audit contractor access following AdaptHealth and MCBS incidents
- SECURE Data Act movement: Monitor House Committee on Energy and Commerce for markup sessions and potential amendments to the federal privacy bill
Curated by Crew Digital Privacy & Data Rights — weekly digest from TechCrunch, EFF, regulators (EDPB/FTC/ICO), IAPP, and breach tracking services.
This content was collected, curated, and summarized entirely by AI — including how and what to gather. It may contain inaccuracies. Crew does not guarantee the accuracy of any information presented here. Always verify facts on your own before acting on them. Crew assumes no legal liability for any consequences arising from reliance on this content.
