New U.S. Import Tariffs on Certain Automobiles and Parts
On March 26, 2025, President Trump signed an executive order directing new 25% tariffs on certain automobiles and automobile parts imported into the U.S. from all countries on or after April 3, 2025. This executive order comes as businesses await the outcome of the broader reciprocal trade plan also expected to be released on April 2.
The executive order builds on an investigation undertaken during President Trump’s first term focused on U.S. imports of passenger vehicles (sedans, sport utility vehicles, crossover utility vehicles, minivans and cargo vans), light trucks (collectively, automobiles) and certain automobile parts (engines and engine parts, transmissions and powertrain parts and electrical components — collectively, automobile parts) and their effect on the national security of the U.S. under Section 232 of the Trade Expansion Act of 1962, as amended (19 U.S.C. 1862) (Section 232). When the U.S. Department of Commerce (DOC) issued findings and recommendations to the President in February 2019, the President did not take any tariff action in response to the DOC’s determination that those imports threatened to impair the national security of the United States. Now, however, President Trump has determined that changes in import trends since the initial investigation and 2019 report have exacerbated risks to U.S. manufacturing, noting that “[t]oday, only about half of the vehicles sold in the United States are manufactured domestically[.]”
These new 25% tariffs, building on the prior investigation, will largely be effective for certain automobiles (to be identified in a subsequent notice in the Federal Register) on or after 12:01 a.m. Eastern Daylight Time on April 3, 2025. The effective date for parts could be deferred; the executive order specifies an effective date to be published in the Federal Register “but no later than May 3, 2025.
Automobiles and parts eligible for the U.S.-Mexico-Canada free trade agreement (USMCA) preferential treatment will be treated differently than all other imports. Where automobiles qualify for preferential tariff treatment under USMCA, importers of those automobiles may be permitted to submit documentation identifying or substantiating the amount of U.S. content in each model imported into the United States and pay duties only on the remainder. Where automobile parts qualify for preferential treatment under USMCA, those parts will be exempted from duties until such time that the DOC, in consultation with Customs, establishes a process to apply the tariff exclusively to the value of the non-U.S. content of such automobile parts and publishes notice in the Federal Register. “U.S. content” refers to the value of the automobile attributable to parts wholly obtained, produced entirely or substantially transformed in the United States.
The duties imposed by this order will be supplemental to duties on imports already imposed pursuant to other legal tools, including IEEPA (e.g. Canada, China and Mexico), Section 232 of the Trade Expansion of 1962 (e.g. steel and aluminum), Section 301 of the Trade Act of 1974 (e.g. China) and any other authority.
These duties will be imposed concurrent with other action taken under the President’s Reciprocal Trade Plan, which is expected to announce new tariffs on April 2, 2025, and with any new tariffs imposed under the President’s March 25, 2025 executive order granting the State Department discretion to impose 25% import duties on U.S. imports from countries that themselves import Venezuelan oil on or after April 2, 2025.
Utah Pioneers App Store Age Limits
Utah’s governor recently signed the first law which puts age restrictions on app downloads. The law (the App Store Accountability Act, SB 142), was signed yesterday (Wednesday, April 26, 2025). We anticipate that the law may be challenged, similar to NetChoice’s challenge to the Utah Social Media Regulation Act and other similar state laws.
Once in effect, the law will apply to both app stores and app developers. There are various effective dates – May 7, 2025, May 6, 2026 and December 31, 2026— as outlined below. Among its requirements are the following:
Age Verification: Under the new law, beginning May 6, 2026, app stores will need to verify the age of any user located in the state using “commercially reasonable” measures. Prior to that time, the Division of Consumer Protection will need to create rules that outline how age can be verified. Also starting May 2026, app developers will need to verify age categories “through the app store’s data sharing methods.” Age categories are children (users under age 13), younger teenagers (users between the ages of 13 and 15), older teenagers (users aged 16 or 17), and adults (users aged 18 and up).
Parental Consent/Notification: Beginning May 6, 2026, app stores will need parental before a minor can download or purchase an app, or make in-app purchases. Consent is to be obtained through a parental account that links to the child’s account. At the same time, app developers will need to verify that app stores have parental consent for minors’ accounts. They also have to notify app stores of any significant changes to their apps. When this happens, the app stores will need to notify users and parents of these changes and get parents’ renewed consent. App stores will also need to notify developers any time parents revoke their consent.
Contract Enforcement: Under the new law, beginning May 6, 2026, app stores will not be able to enforce contracts against minors unless they already have consent from the minors’ parents. This applies to app developers as well, unless they verify that the app store has consent from the minor’s parents.
Safe Harbor: The new law contains safe harbor provisions for app developers. Developers won’t be responsible for violating this law if they rely in good faith on information provided by the app store. This includes age information as well as confirmation that parents provided consent for minors’ account. For the safe harbor to apply, developers also need to follow the other rules set out for them by the law (described above).
Putting it into Practice: While we anticipate that this law will be challenged, it signals that states are continuing their focus on laws relating to children in the digital space. This is the first law that is focused on app stores, but we expect to see more in the future.
James O’Reilly contributed to this post.
California Cryobank Hit with Lawsuit over Sperm Donor Databank Breach
California Cryobank, LLC, the largest sperm bank in the country, faces a lawsuit in the U.S. District Court for the Central District of California over an April 2024 data breach. Cryobank provides frozen donor sperm and specialized reproductive health care services, including egg and embryo storage.
Cryobank notified the affected individuals this month that it detected suspicious activity on its network and determined that an unauthorized party gained access to its IT environment and may have accessed files containing personal information.
While sperm is commonly donated anonymously, the information is associated with a donor-assigned ID number. That ID number can then be used by offspring at 18 if they want to learn more about their biological father. Nevertheless, the security incident affected information including, patient names, Social Security numbers, driver’s license numbers, financial account numbers, and health insurance information. The complaint alleges that Cryobank failed to sufficiently protect and secure its patients’ personal and health information. The plaintiff is seeking class certification to include others affected by the data breach.
The complaint states that the individual notifications did not include “the identity of the cybercriminals who perpetrated this Data Breach, the details of the root cause of the Data Breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure such a breach does not occur again.”
The lawsuit asserts claims of negligence, breach of implied contract, and unjust enrichment, as well as violations of the California Unfair Competition Law and Confidentiality of Medical Information Act.
Joint Bulletin Warns Health Sector of Potential Coordinated Multi-City Attack
On March 20, 2025, the American Hospital Association (AHA) and the Health-ISAC issued an alert to the health care sector warning of a social media post that posed a potential threat “related to the active planning of a coordinated, multi-city terrorist attack on hospitals in the coming weeks.” The post targets “mid-tier cities with low-security facilities.”
The alert recommends “that teams review security and emergency management plans and heighten staff awareness of the threat,” including physical security protocols and practices, such as “having a publicly visible security presence.”
The alert, updated on March 26, 2025, indicates that the FBI has not identified a “specific credible threat targeted against hospitals in any U.S. city.” Nonetheless, the threat is concerning, and the recommendations of the AHA and Health-ISAC are worth noting.
Pennsylvania Teacher’s Union Faces Class Action over Data Breach
The Pennsylvania State Education Association (PSEA) faces a class action resulting from a July 2024 data breach. The proposed class consists of current and former members of the union as well as PSEA employees and their family members. The lawsuit alleges that the union was negligent and breached its fiduciary duty when it suffered a data breach that affected Social Security numbers and medical information. The complaint further alleges that the PSEA failed to implement and maintain appropriate safeguards to protect and secure the plaintiffs’ data.
The union sent notification letters in February 2025 informing members that the data acquired by the unauthorized actor contained some personal information within the network files. The letter also stated, “We took steps, to the best of our ability and knowledge, to ensure that the data taken by the unauthorized actor was deleted [. . .] We want to make the impacted individuals aware of the incident and provide them with steps they can take to further protect their information.” The union also informed affected individuals that they did not have any indication that the information was used fraudulently.
The complaint alleges “actual damages” suffered by the plaintiff related to monitoring financial accounts and an increased risk of fraud and identity theft. Further, the complaint states that “the breach of security was reasonably foreseeable given the known high frequency of cyberattacks and data breaches involving health information.”
In addition to a claim of negligence, the class alleges that the breach violates the Federal Trade Commission Act and the Health Insurance Portability and Accountability Act. The class is demanding 10 years of credit monitoring services, punitive, actual, compensatory, and statutory damages, as well as attorneys’ fees.
Personal Information Released in JFK Files
I am not sure what the rush was to make the JFK assassination files available, but the perceived urgency caused Social Security numbers of individuals involved in the investigation to be released to the public. Although The Washington Post found 3,500 Social Security numbers in the documents, it is estimated that many were duplicates, and over 400 individuals were affected.
The Social Security numbers contained in the over 60,000 pages of documents can be accessed online or in person. The Washington Post reported the unauthorized disclosure, and the National Archives then screened the documents “so that the Social Security Administration could identify living individuals and issue them new numbers.”
Unfortunately, the documents were not previously screened for personal information, a basic tenet of protection. It is another message reaffirming that the new administration does not prioritize data security.
Phishing Attacks – Anyone Can Get Owned
HaveIBeenPwned is a website that allows users to check whether their data has been involved in data breaches. The website’s creator, Troy Hunt, was the subject of a phishing attack earlier this week. The attack was unrelated to the HaveIBeenPwned website and compromised Hunt’s personal Mailchimp account.
According to Hunt, he received an email purporting to be from Mailchimp regarding a flag on his account. When he clicked the “Review Account” button, he was taken to a fake Mailchimp domain. Hunt notes in a blog post that he manually entered his credentials and that they did not auto-populate from his password management application as they usually would.
Hunt received and entered a one-time password and was taken to a hung page. Now suspicious, he then reportedly logged into the legitimate Mailchimp site and changed his password, but the phishing attack was likely an automated process. Within minutes, Hunt had already received notification emails from Mailchimp regarding login activity and list exports from another unknown IP address. Hunt noted that the list included approximately 16,000 records, including current and former blog subscribers.
Below is the screenshot shared on Hunt’s blog:
Our conception is that a typical phishing email tends to be poorly worded, involves an unusual payment request, and is a blatantly implausible email. However, this incident demonstrates that phishing attacks are becoming increasingly sophisticated and can happen to anyone.
Takeaways:
Sense of urgency can be subtle – As bad actors become more sophisticated, not all phishing emails will create an unbelievable sense of urgency, such as asking users to update their payment or billing information to unlock an account. In Hunt’s case, he acknowledged that the notification created “just the right amount of urgency without being over the top.” Any email from an organization or person creating a sense of urgency warrants pause and contemplation before clicking or performing any action.
Circumvention of password manager could be a sign – Password managers are designed to autofill credentials on known websites. Hunt realized that his credentials did not populate into the fake Mailchimp site, which, in hindsight, was a potential sign of unusual activity. If a site that typically remembers your credentials requests them, this might be (though it is not always) a sign of a spoofed domain.
One-time passwords are not foolproof – Although multi-factor authentication provides enhanced security over using only usernames and passwords, one-time passwords cannot protect against such automated phishing attacks because once the user enters the one-time password onto the spoofed site, the bad actor now has access to the legitimate account.
Passkeys are more phishing-resistant – A passkey is a password replacement, where a digital credential tied to a user’s account allows them to authenticate into the account. Passkeys rely on biometrics or swipe patterns to sign users into accounts. Passkeys cannot be stolen as easily as passwords because they require the bad actor to have access to users’ biometrics or swipe patterns, which is not readily accessible.
No single tip or trick can help prevent phishing attacks, but remaining vigilant and enacting certain security measures can minimize the chances of becoming subject to such social engineering schemes.
Best Method Challenge Continues to Offer “a Material Advantage” – Zoetis Services LLC v Boehringer Ingelheim Animal Health USA Inc [2024] FCAFC 145
Finding against Zoetis, the Full Federal Court held that Zoetis’ three patent applications relating to pig vaccines were invalid due to the failure to disclose the best method.
The Court’s analysis focused on one of Zoetis’ patent applications (the 535 Application), as the parties agreed that the finding would apply to the other patent applications. The key issue was whether Zoetis’ disclosure of a range of varying antigen concentrations for its investigational vaccine products (IVPs) satisfied the best method requirement. Notably, the antigen concentration disclosed in the specification was provided relative to a reference vaccine, the concentration of which was not disclosed.
The best method arguments centered around the observations in Apotex v Servier that the patentee “has an obligation to include aspects of the method of manufacture that are material to the advantages it is claimed the invention brings“. In addressing this question, the Full Court concluded:
The specific (absolute) antigen concentration was material to the alleged advantages of the claimed invention and therefore had to be disclosed;
Zoetis knew the specific (absolute) antigen concentration that conferred the advantages as it had produced IVPs and conducted trials;
Within the antigen ranges claimed by Zoetis, different experimental compositions demonstrated different levels of efficacy; and
The disclosure of a possible range of concentration of antigens failed the best method requirement as it was not a ‘fair disclosure’ of the best method.
AI Governance: Steps to Adopt an AI Governance Program
There are many factors to consider when assisting clients with assessing the use of artificial intelligence (AI) tools in an organization and developing and implementing an AI Governance Program. Although adopting an AI Governance Program is a no-brainer, no form of a governance program is insufficient. Each organization has to evaluate how it will use AI tools, whether (and how) it will develop its own, whether it will allow third-party tools to be used with its data, the associated risks, and what guardrails and guidance to provide to employees about their use.
Many organizations don’t know where to start when thinking about an AI Governance Program. I came across a guide that I thought might be helpful in kickstarting your thinking about the process: Syncari’s “The Ultimate AI Governance Guide: Best Practices for Enterprise Success.”
Although the article scratches the surface of how to develop and implement an AI Governance Program, it is a good start to the internal conversation regarding some basic questions to ask and risks that may be present with AI tools. Although the article mentions AI regulations, including the EU AI Act and GDPR, it is important to consider state AI regulations being introduced and passed daily in the U.S. In addition, when considering third-party AI tools, it is important to question the third-party on how it collects, uses, and discloses company data, and whether company data is being used to train the AI tool.
Now is the time to start discussing how you will develop and implement your AI Governance Program. Your employees are probably already using it, so assess the risk and get some guardrails around it.
EPA Extends 2024 RFS Compliance Reporting Deadline
The U.S. Environmental Protection Agency (EPA) issued a final rule on March 14, 2025, extending the Renewable Fuel Standard (RFS) compliance reporting deadline for the 2024 compliance year. 90 Fed. Reg. 12109. As reported in our January 8, 2025, blog item, EPA published a proposed rule on December 12, 2024, that would partially waive the 2024 cellulosic biofuel volume requirement and revise the associated percentage standard under the RFS program due to a shortfall in cellulosic biofuel production. 89 Fed. Reg. 100442. As a result of this proposed change, EPA proposes to extend the RFS compliance reporting deadline for the 2024 compliance year. In its March 14, 2025, final rule, EPA does not make final the proposed partial waiver or most of the other proposed amendments to other RFS provisions, instead stating that it may address them in a later action. According to EPA, it expects that the effective date of the revised 2024 cellulosic biofuel standard will not occur until after the March 31, 2025, original 2024 RFS compliance reporting deadline. To provide obligated parties with sufficient time to carry out and adjust their compliance strategies once EPA issues the final revised 2024 cellulosic biofuel standard, it is extending the 2024 RFS compliance reporting deadline from March 31, 2025, to the next quarterly compliance reporting deadline after the effective date of the final rule establishing the revised 2024 cellulosic biofuel standard. EPA states that by operation of law, the 2024 attest engagement deadline would also be extended to the next June 1 annual attest engagement reporting deadline after the revised 2024 RFS compliance reporting deadline. EPA also made several minor amendments and technical corrections to other RFS provisions. The rule was effective March 13, 2025.
THE WHITE COAT DIDN’T BETRAY YOU—THE PIXEL DID: Judge Keeps Florida Wiretap Case Against Hospital Alive
Greetings CIPAWorld!
Your search history reveals more about you than you might realize. If you’ve ever noticed suspiciously specific medical ads appearing after researching health concerns online, you’re not just being paranoid; you’re witnessing sophisticated tracking technologies at work.
A federal court in Florida handed down a decision that should make us pause before typing that symptom into a healthcare website’s search bar. Here, this case involves a patient who claimed her medical searches on Orlando Health’s website allegedly led to targeted Facebook ads for her specific medical conditions. See W.W. v. Orlando Health, Inc., No. 6:24-cv-1068-JSS-RMN, 2025 U.S. Dist. LEXIS 40038 (M.D. Fla. Mar. 6, 2025).
Judge Julie S. Sneed’s ruling in W.W. v. Orlando Health, Inc. denied most of the healthcare provider’s attempts to dismiss the lawsuit, potentially opening the door for closer scrutiny of how medical websites track and share our sensitive health information. As someone who has researched medical information online in the past (who doesn’t these days?), I wondered exactly what happens when I click that “search” button on my insurance carrier’s website.
The Plaintiff alleged she used Orlando Health’s website to research conditions, including ileostomy, heart problems, and fatty liver disease. She later noticed Facebook advertisements popping up for products related to these exact conditions—ileostomy bags, heart failure treatments, and services from Orlando Health neurologists. Coincidence? Plaintiff didn’t think so, and Judge Sneed found her claims plausible enough to proceed.
However, the medical context elevates this case beyond another privacy suit. The Court noted that Orlando Health operates over 100 medical facilities. It encourages patients to use its website to communicate medical symptoms, conditions, and treatments via the search bar and related webpages, including access to appointment booking and the MyChart patient portal. As such, this wasn’t a casual browsing session but an online extension of the doctor-patient relationship.
What makes this case particularly concerning is the nature of the tracking technology itself. Plaintiff alleges that Orlando Health employed tracking tools that operate largely invisibly to users. Judge Sneed acknowledged this reality, noting these technologies are hidden from users’ view and difficult to avoid, even for the particularly tech-savvy user. This creates a troubling power imbalance—patients have no meaningful way to opt out of tracking that they don’t even know is happening.
Even more fascinating is how the court analyzed the claims of the Florida Security of Communications Act (“FSCA”). I think it’s important I highlight the FSCA… after all, I am a Floridian. The FSCA prohibits the intentional interception of electronic communications, and Orlando Health argued that what was being tracked was merely metadata, not the actual content of communications. But Judge Sneed distinguished this case from previous decisions involving commercial websites.
The key difference? Medical searches reveal something fundamentally private about us. For instance, if I decide to search “cardiologist for heart palpitations,” I’m not just clicking links—I’m communicating sensitive information about my health condition. The Court recognized this distinction, noting that information about a user’s medical conditions and healthcare searches constitutes ‘contents’ protected under these statutes.
To break this down further, the FSCA defines “contents” as “any information concerning the substance, purport, or meaning of that communication.” Fla. Stat. § 934.02(7). The Court emphasized that URLs and search queries on a medical website reflect the message Plaintiff sought to convey to Defendant through its website, thus satisfying the statutory standard. Judge Sneed’s approach relied on Black’s Law Dictionary to define “substance,” “purport,” and “meaning,” grounding her interpretation in long-standing legal usage.
As a result, Judge Sneed determined that W.W. successfully alleged all three required elements for an FSCA claim: (1) that Orlando Health intentionally intercepted her electronic communications, (2) that these interceptions captured protected “contents” under the statute, and (3) that she had not consented to this interception. The Court emphasized that Plaintiff has adequately alleged that the electronic communications she claims were intercepted were ‘contents’ as defined by the FSCA.
Orlando Health relied heavily on a Florida case, Jacome v. Spirit Airlines, Inc., No. 2021-000947-CA-01, 2021 WL 3087860, at *1 (Fla. Cir. Ct. June 17, 2021), which involved “session replay” technology tracking users’ movements on a commercial airline website. But Judge Sneed pointed out three crucial differences: first, Jacome involved different tracking technology in a non-healthcare context; second, the very case Orlando Health relied on actually supported W.W.’s position by acknowledging that medical records deserve protection; and third, other courts facing similar healthcare tracking cases have reached conclusions favorable to patients. The Court held that Plaintiff’s claims are predicated on the tracking tools’ interception of her communications… not on the simple fact that her movements on Defendant’s website were tracked.
Moreover, the Court analyzed multiple cases where similar tracking tools on healthcare websites were found potentially liable under wiretap laws. In A.D. v. Aspen Dental Mgmt., Inc., No. 24 C 1404, 2024 WL 4119153, at *5-7 (N.D. Ill. Sept. 9, 2024), the Northern District of Illinois denied a motion to dismiss, finding that URLs containing search terms about medical conditions constituted protected content. Similarly, in R.C. v. Walgreen Co., 733 F. Supp. 3d 876, 885, 903 (C.D. Cal. 2024), the Court found that when tracking technologies shared information about “sensitive healthcare products” with Meta and Google, resulting in targeted ads, this information “reveal[ed] a substantive message about [the p]laintiffs’ health concerns.”
As such, the ruling on the FSCA claim is principally significant because, as Judge Sneed noted, “the FSCA was modeled after the Wiretap Act, [and] Florida courts construe the FSCA’s provisions in accord with the meaning given to analogous provisions of the Wiretap Act.” W.W., 2025 U.S. Dist. LEXIS 40038, at *7. This means the Court’s interpretation of what constitutes “contents” under the FSCA directly influenced its analysis of the federal Wiretap Act claim.
What I found particularly striking was the Court’s reference to the Ninth Circuit’s decision in In re Zynga Priv. Litig., 750 F.3d 1098 (9th Cir. 2014). While that case found that basic website header information wasn’t protected content, it explicitly stated that “a user’s request to a search engine for specific information could constitute a communication such that divulging a URL containing that search term to a third party could amount to disclosure of the contents of a communication.” This distinction has become crucial in healthcare privacy cases, with courts like the Northern District of California in Doe v. Meta Platforms, Inc., 690 F. Supp. 3d 1064, 1076 (N.D. Cal. 2023), recognizing that “a URL disclosing a ‘search term or similar communication made by the user’ ‘could constitute a communication’ under the [Wiretap Act].”
Next, the Court also looked at similar cases in other jurisdictions. In In re Grp. Health Plan Litig., 709 F. Supp. 3d 707, 712, 718, 720 (D. Minn. 2023), a Minnesota Court determined that technology that “surreptitiously track[ed] users’ interactions on the [defendant’s w]ebsites and transmit those interactions to [Meta]” was actionable under the Wiretap Act. Similarly, in Doe v. Microsoft Corp., No. C23-0718-JCC, 2023 WL 8780879, at *9 (W.D. Wash. Dec. 19, 2023), a Washington Court found similar allegations sufficient under California’s Invasion of Privacy Act (“CIPA”).
The Court’s analysis demonstrated a sophisticated understanding of how modern tracking tools actually function. Judge Sneed described how the Facebook Pixel works, explaining that it causes the user’s web browser to instantaneously duplicate the contents of the communication with the website and send the duplicate from the user’s browser directly to Facebook’s server. In a sense, it’s like having a third person secretly photocopy your private medical forms as you fill them out—except it happens digitally, all without your knowledge. That’s a scary thought.
One crucial legal issue the Court had to address was whether Orlando Health could be liable under the Wiretap Act as a party to the communications. Normally, a party to communications can’t “intercept” them under the law. But Judge Sneed found that the “crime-tort exception” might apply, which creates liability when a party intercepts communications “for the purpose of committing any criminal or tortious act.” 18 U.S.C. § 2511(2)(d). This exception has created a split among federal courts, with some like B.K. v. Eisenhower Med. Ctr., 721 F. Supp. 3d 1056, 1065 (C.D. Cal. 2024) rejecting its application, while others like Cooper v. Mount Sinai Health Sys., Inc., 742 F. Supp. 3d 369, 380 (S.D.N.Y. 2024) have held that “A defendant’s criminal or tortious purpose of knowingly disclosing individually identifiable health information to another person in violation of HIPAA may satisfy the crime-tort exception.”
Let’s just think about this for a moment. When you visit your healthcare provider’s website and search for information about a medical condition, you’re effectively having a private conversation about your health. This is a conversation you reasonably expect to stay between you and your provider. Plaintiff alleges that Orlando Health allowed Facebook and Google to listen to this conversation without her knowledge or consent and then use what they heard to sell her things. That’s not just invasive—it’s monetizing vulnerability. The Complaint even describes Meta Pixel and Google’s APIs duplicating real-time communications and sending them to third-party servers without user awareness.
I remember searching for allergy specialists on my insurance provider’s website, only to suddenly see my social media feeds filled with ads for allergy medications. It felt like someone had been reading over my shoulder—because in a digital sense, they had been. This is a troubling loophole in our digital privacy framework. While HIPAA strictly regulates how healthcare providers handle patient information in traditional contexts, the rules often become murky in digital environments. The law hasn’t caught up to the technology, and it’s essential that case law helps close that gap.
The Court recognized other claims as well, including breach of confidence. Judge Sneed emphasized the profoundly personal nature of health information, quoting Norman-Bloodsaw v. Lawrence Berkeley Lab., 135 F.3d 1260, 1269 (9th Cir. 1998): “One can think of few subject areas more personal and more likely to implicate privacy interests than that of one’s health.” Additionally, the Court also allowed unjust enrichment and breach of implied contract claims to proceed, acknowledging that private health information has economic value that healthcare providers shouldn’t be able to exploit without consent. Judge Sneed agreed that Defendant obtained enhanced advertising services and more cost-efficient marketing from the data disclosures, which plausibly conferred a benefit on Orlando Health without Plaintiff’s consent.
In an interesting development for data privacy attorneys, the Court expressly recognized the economic value of personal health information. As Judge Sneed noted, courts should not “ignore what common sense compels it to acknowledge—the value that personal identifying information has in our increasingly digital economy…. Consumers too recognize the value of their personal information and offer it in exchange for goods and services.” W.W., 2025 U.S. Dist. LEXIS 40038, at *32-33 (quoting In re Marriott Int’l, Inc., 440 F. Supp. 3d 447, 462 (D. Md. 2020)).
Interestingly, the Court did dismiss one claim—invasion of privacy by intrusion upon seclusion—finding that Florida law requires an intrusion into a private “place” rather than merely a private activity. As Pet Supermarket, Inc. v. Eldridge, 360 So. 3d 1201, 1207 (Fla. Dist. Ct. App. 2023) specified, “Florida law explicitly requires an intrusion into a private place and not merely into a private activity.” This reveals a gap in privacy law that has not yet adjusted to the digital age, where violations occur in virtual rather than physical spaces.
The irony here is palpable. Healthcare providers are bound by HIPAA and other regulations that severely restrict how they can share our health information in traditional contexts. Yet some providers may allow tech companies to access this information through their websites with far less oversight.
Judge Sneed’s decision aligns with similar rulings in cases like D.S. v. Tallahassee Mem’l HealthCare, No. 4:23cv540-MW/MAF, 2024 WL 2318621, at *1 (N.D. Fla. May 22, 2024), and Cyr v. Orlando Health, Inc., No. 8:23-cv-588-WFJ-CPT (M.D. Fla. July 5, 2023). In Tallahassee Memorial, the Court denied dismissal of identical claims where a healthcare provider allegedly disclosed patient information to Meta and Google through website tracking. Similarly, in Cyr—another case against Orlando Health itself—the Court found the plaintiff’s claims plausible and worthy of proceeding past the pleading stage. This suggests that Courts are increasingly receptive to these digital privacy concerns in the healthcare context.
All in all, healthcare marketers may need to rethink their digital strategies, and patients might finally gain transparency into how their online health searches are being monetized. The next time you search for symptoms online or book a medical appointment through a website, remember that a seemingly private digital conversation might have more participants than you realize.
Behavioral Health Law Ledger | March 2025
Welcome to the Ledger
The March 2025 issue of Greenberg Traurig’s quarterly Behavioral Health Law ledger explores two behavioral health legal developments: proposed legislation in several states that would affect behavioral and mental health operations, including reimbursement for mental health services and enforcement of fraud and abuse laws for substance use disorder facilities; and a rise in hospital closures, including psychiatric hospitals.
Pending Legislation Review: State Legislation that May Impact Behavioral Health
Multiple states have introduced legislation with may affect behavioral and mental health operations on a state level.
Legislation on Behavioral Health Operations
Colorado
Colorado Senate Bill 25-042 proposes to empower Colorado’s Behavioral Health Administration to address reimbursement shortages for behavioral health services and to fill in gaps in Colorado’s continuum of care for behavioral health crises. On an operational level, this would increase the number of reimbursable days for inpatient mental health services from 15 days to 60 days. In addition, this bill proposes to amend how involuntary mental health holds are handled and would change the discharge requirements for patients admitted on involuntary mental health holds.
Possible effects: Should this bill pass, we anticipate changes relating to reimbursement for mental health services in Colorado, which may improve accessibility gaps that persist. Nevertheless, even if the bill does not pass, this legislation demonstrates Colorado legislators’ focus on behavioral health in the state and continues the trend of improving access to, and reimbursement for, behavioral health services state-wide.
California
California Senate Bill 35 proposes to revise existing enforcement and increase scrutiny on substance use disorder (SUD) recovery facilities within California. Operationally, this bill would authorize the suspension and/or revocation of SUD facilities’ licenses for facilities who engaged in patient brokering and other kickback schemes. This bill would also empower city and district attorneys to enforce these measures, thereby potentially increasing local enforcement and scrutiny.
Possible effects: This is the second bill on scrutiny into SUD recovery facilities to be introduced since the passage of California’s Ethical Treatment for Persons with Substance Use Disorder Act (Cal. Health & Safety Code § 11857 et seq.) in 2022. Should this bill pass, it would strengthen enforcement of fraud and abuse laws for SUD facilities. However, even if the bill does not pass, this proposed legislation demonstrates a continued focus on and prioritization of SUD facility compliance within California.
Legislation on Mental Health Services and Education
Eighteen states have proposed legislation regarding education around maternal mental health. These states are Alabama, Arizona, California, Connecticut, Georgia, Maryland, Massachusetts, Minnesota, Mississippi, New Hampshire, New Jersey, New Mexico, Oklahoma, Tennessee, Virginia, and West Virginia.
These proposed bills include legislation to provide coverage for perinatal and post-partum depression screening, extending delivery and post-natal care to fee-for-service models to improve care outcomes, improving patient and practitioner education on maternal mental health, and legislation commissioning studies on SUDs and behavioral health concerns within maternal mental health.
Together, these bills represent a continued state-level shift towards prioritizing mental health on a populational level. Should these bills pass, we anticipate potential changes in reimbursement and covered services on a state level, as well as further research into this field.
Rise in Hospital Closures May Reduce Accessibility of Behavioral Health Services
In 2025, there has been a large increase in closures of hospitals, including psychiatric hospitals. To date in 2025, at least 13 hospitals have closed their doors or announced imminent closures. In almost every case, the hospital administrators have stated that the decision to cease operations was caused by financial and operational considerations, including reimbursement challenges and ongoing labor shortages.1 At least one other hospital has shuttered its inpatient psychiatric wing following ongoing concerns regarding its patient census and reimbursement.2
Of the 13 hospitals to have closed or announced imminent closure, two are in Colorado, where an additional hospital-based behavioral health provider is also closing (or at least reorganizing and relocating its operations elsewhere). On March 1, 2025, Johnstown Heights Behavioral Health ceased operations. West Springs Hospital closed effective March 10, 2025. Each of these hospitals cited ongoing financial and operational struggles that influenced these closures. Finally, West Pines Behavioral Health, a hospital-based behavioral health provider, has announced it will close its Lutheran Hospital campus operations effective March 31, 2025.3 Much of its staff and operations appear to have been relocated to the new West Pines Behavioral Hospital, which is a fairly new adult (with adolescent and senior inpatient services coming in the near future) psychiatric hospital in Westminster through the partnership of Acadia Healthcare and Intermountain Health that was initially licensed as a psychiatric hospital in December 2024.4 Including the new addition of West Pines Behavioral Hospital, there are now eight psychiatric hospitals in Colorado, two of which are run by the state of Colorado, and all eight of which are on the front range urban corridor of Colorado.
These closures come on the heels of the Center for Healthcare Quality and Payment Reform’s February 2025 Report stating that “[m]ore than 700 rural hospitals—one-third of all rural hospitals in the country—are at risk of closing because of the serious financial problems they are experiencing. Over 300 of these rural hospitals are at immediate risk of closing because of the severity of their financial problems.” In light of ongoing nationwide financial struggles of health care providers, including psychiatric hospitals and those serving rural populations, behavioral health patients may face reduced accessibility for behavioral and mental health care, especially on Colorado’s western slope, despite increasing need for such service access in recent years.
1 See 10 hospital closures in 2025 – Becker’s Hospital Review | Healthcare News & Analysis.
2 See Endeavor cuts jobs amid service reductions – Becker’s Hospital Review | Healthcare News & Analysis.
3 See generally Nearly 500 behavioral health workers in Colorado have been laid off in the past 3 months | The Colorado Sun.
4 See Colorado to get more mental health bed options, new hospital amid “near crisis” | the Colorado Sun.