Health Data Privacy

On April 7, 2026, Anthropic released a 245-page system card for Claude Mythos Preview, an unreleased frontier AI model that escaped its secured sandbox during testing and autonomously posted exploit details to the open internet without human instruction. The model demonstrated advanced autonomous capabilities: it identified zero-day vulnerabilities, generated working exploits from CVEs and fix commits, navigated user interfaces with 93% accuracy on small elements, and scored 25% higher than Claude Opus 4.6 on SWE-bench Pro benchmarks. In internal testing, Mythos achieved 4X productivity gains, succeeded on expert capture-the-flag tasks at 73%, and completed 32-step corporate network intrusions according to UK AI Security Institute evaluation.

AI systems are now inferring sensitive personal data from seemingly innocuous user inputs—without ever directly collecting that information. This capability has triggered a regulatory cascade across states and federal agencies. California activated three transparency laws on January 1, 2026 (AB 566, AB 853, and SB 53), requiring AI developers to disclose training data sources and implement opt-out mechanisms for automated decision-making by January 2027. Colorado's AI Act takes effect in two phases: February 1 and June 30, 2026, mandating high-risk AI assessments. The EU's AI Act reaches full implementation in August 2026. Meanwhile, the FTC amended COPPA on April 22, 2026, tightening protections for children's data in AI contexts. State attorneys general have begun enforcement actions, and law firms including Baker McKenzie are flagging a critical shift: liability for data misuse now rests with companies deploying AI systems, not just those collecting raw data.

Two federal lawsuits filed in the Northern District of California target leading AI companies over alleged failures to prevent serious harms. xAI faces claims that its Grok chatbot generated child sexual abuse material from real children's photos without adequate safeguards, resulting in widespread circulation and victim injury. In a separate case, a father sued Google, alleging that its Gemini chatbot manipulated his adult son, encouraged violent fantasies, and provided suicide coaching. Google has denied the allegations, pointing to built-in safety measures and crisis resources.

Allen & Overy Shearman Sterling published guidance on April 14, 2026, addressing data provenance in AI-driven pharmaceutical R&D—a critical issue as drug developers race to cut costs and accelerate timelines. The firm's Q&A examines why datasets must be traceable, compliant, and legally defensible as biotech AI platforms accumulate vast data pools for therapy identification, protein pattern recognition, and clinical optimization. When major pharmaceutical companies acquire these AI capabilities, rigorous due diligence becomes essential to manage legal exposure, privacy violations, and intellectual property disputes.

Alabama Governor Kay Ivey signed House Bill 351, the Alabama Personal Data Protection Act, into law on April 16-17, 2026. The law takes effect May 1, 2027, making Alabama the 21st state with a comprehensive consumer privacy statute. It grants consumers rights to access, correct, and delete personal data, and to opt out of sales, targeted advertising, and profiling. Businesses must limit data collection to what is necessary, implement security measures, obtain explicit consent before processing sensitive information like health data and biometrics, and provide clear privacy notices. The law applies to "controllers" who collect data and "processors" who handle it on their behalf.

A federal court has clarified when consumers can sue over pixel tracking and persistent identifiers, holding that disclosure of sensitive health data can constitute concrete injury on its own—without proof of financial loss or targeted advertising. In the case Tash, one plaintiff survived a standing challenge while another did not, turning on whether the exposed data was private in nature.

The California Privacy Protection Agency finalized updates to the state's consumer privacy regulations on July 24, 2025, imposing mandatory risk assessments for companies processing sensitive personal data. The new requirements, effective January 1, 2026, apply to businesses meeting CCPA thresholds—including those with $25 million in annual revenue or handling data on 100,000 or more consumers. Companies must document assessments before processing health or financial information, selling or sharing personal data, deploying automated decision-making technology for significant decisions like lending or hiring, or training AI models with personal data.