California Cryobank Hit with Lawsuit over Sperm Donor Databank Breach
California Cryobank, LLC, the largest sperm bank in the country, faces a lawsuit in the U.S. District Court for the Central District of California over an April 2024 data breach. Cryobank provides frozen donor sperm and specialized reproductive health care services, including egg and embryo storage.
Cryobank notified the affected individuals this month that it detected suspicious activity on its network and determined that an unauthorized party gained access to its IT environment and may have accessed files containing personal information.
While sperm is commonly donated anonymously, the information is associated with a donor-assigned ID number. That ID number can then be used by offspring at 18 if they want to learn more about their biological father. Nevertheless, the security incident affected information including, patient names, Social Security numbers, driver’s license numbers, financial account numbers, and health insurance information. The complaint alleges that Cryobank failed to sufficiently protect and secure its patients’ personal and health information. The plaintiff is seeking class certification to include others affected by the data breach.
The complaint states that the individual notifications did not include “the identity of the cybercriminals who perpetrated this Data Breach, the details of the root cause of the Data Breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure such a breach does not occur again.”
The lawsuit asserts claims of negligence, breach of implied contract, and unjust enrichment, as well as violations of the California Unfair Competition Law and Confidentiality of Medical Information Act.
Joint Bulletin Warns Health Sector of Potential Coordinated Multi-City Attack
On March 20, 2025, the American Hospital Association (AHA) and the Health-ISAC issued an alert to the health care sector warning of a social media post that posed a potential threat “related to the active planning of a coordinated, multi-city terrorist attack on hospitals in the coming weeks.” The post targets “mid-tier cities with low-security facilities.”
The alert recommends “that teams review security and emergency management plans and heighten staff awareness of the threat,” including physical security protocols and practices, such as “having a publicly visible security presence.”
The alert, updated on March 26, 2025, indicates that the FBI has not identified a “specific credible threat targeted against hospitals in any U.S. city.” Nonetheless, the threat is concerning, and the recommendations of the AHA and Health-ISAC are worth noting.
Pennsylvania Teacher’s Union Faces Class Action over Data Breach
The Pennsylvania State Education Association (PSEA) faces a class action resulting from a July 2024 data breach. The proposed class consists of current and former members of the union as well as PSEA employees and their family members. The lawsuit alleges that the union was negligent and breached its fiduciary duty when it suffered a data breach that affected Social Security numbers and medical information. The complaint further alleges that the PSEA failed to implement and maintain appropriate safeguards to protect and secure the plaintiffs’ data.
The union sent notification letters in February 2025 informing members that the data acquired by the unauthorized actor contained some personal information within the network files. The letter also stated, “We took steps, to the best of our ability and knowledge, to ensure that the data taken by the unauthorized actor was deleted [. . .] We want to make the impacted individuals aware of the incident and provide them with steps they can take to further protect their information.” The union also informed affected individuals that they did not have any indication that the information was used fraudulently.
The complaint alleges “actual damages” suffered by the plaintiff related to monitoring financial accounts and an increased risk of fraud and identity theft. Further, the complaint states that “the breach of security was reasonably foreseeable given the known high frequency of cyberattacks and data breaches involving health information.”
In addition to a claim of negligence, the class alleges that the breach violates the Federal Trade Commission Act and the Health Insurance Portability and Accountability Act. The class is demanding 10 years of credit monitoring services, punitive, actual, compensatory, and statutory damages, as well as attorneys’ fees.
Personal Information Released in JFK Files
I am not sure what the rush was to make the JFK assassination files available, but the perceived urgency caused Social Security numbers of individuals involved in the investigation to be released to the public. Although The Washington Post found 3,500 Social Security numbers in the documents, it is estimated that many were duplicates, and over 400 individuals were affected.
The Social Security numbers contained in the over 60,000 pages of documents can be accessed online or in person. The Washington Post reported the unauthorized disclosure, and the National Archives then screened the documents “so that the Social Security Administration could identify living individuals and issue them new numbers.”
Unfortunately, the documents were not previously screened for personal information, a basic tenet of protection. It is another message reaffirming that the new administration does not prioritize data security.
Phishing Attacks – Anyone Can Get Owned
HaveIBeenPwned is a website that allows users to check whether their data has been involved in data breaches. The website’s creator, Troy Hunt, was the subject of a phishing attack earlier this week. The attack was unrelated to the HaveIBeenPwned website and compromised Hunt’s personal Mailchimp account.
According to Hunt, he received an email purporting to be from Mailchimp regarding a flag on his account. When he clicked the “Review Account” button, he was taken to a fake Mailchimp domain. Hunt notes in a blog post that he manually entered his credentials and that they did not auto-populate from his password management application as they usually would.
Hunt received and entered a one-time password and was taken to a hung page. Now suspicious, he then reportedly logged into the legitimate Mailchimp site and changed his password, but the phishing attack was likely an automated process. Within minutes, Hunt had already received notification emails from Mailchimp regarding login activity and list exports from another unknown IP address. Hunt noted that the list included approximately 16,000 records, including current and former blog subscribers.
Below is the screenshot shared on Hunt’s blog:
Our conception is that a typical phishing email tends to be poorly worded, involves an unusual payment request, and is a blatantly implausible email. However, this incident demonstrates that phishing attacks are becoming increasingly sophisticated and can happen to anyone.
Takeaways:
Sense of urgency can be subtle – As bad actors become more sophisticated, not all phishing emails will create an unbelievable sense of urgency, such as asking users to update their payment or billing information to unlock an account. In Hunt’s case, he acknowledged that the notification created “just the right amount of urgency without being over the top.” Any email from an organization or person creating a sense of urgency warrants pause and contemplation before clicking or performing any action.
Circumvention of password manager could be a sign – Password managers are designed to autofill credentials on known websites. Hunt realized that his credentials did not populate into the fake Mailchimp site, which, in hindsight, was a potential sign of unusual activity. If a site that typically remembers your credentials requests them, this might be (though it is not always) a sign of a spoofed domain.
One-time passwords are not foolproof – Although multi-factor authentication provides enhanced security over using only usernames and passwords, one-time passwords cannot protect against such automated phishing attacks because once the user enters the one-time password onto the spoofed site, the bad actor now has access to the legitimate account.
Passkeys are more phishing-resistant – A passkey is a password replacement, where a digital credential tied to a user’s account allows them to authenticate into the account. Passkeys rely on biometrics or swipe patterns to sign users into accounts. Passkeys cannot be stolen as easily as passwords because they require the bad actor to have access to users’ biometrics or swipe patterns, which is not readily accessible.
No single tip or trick can help prevent phishing attacks, but remaining vigilant and enacting certain security measures can minimize the chances of becoming subject to such social engineering schemes.
Best Method Challenge Continues to Offer “a Material Advantage” – Zoetis Services LLC v Boehringer Ingelheim Animal Health USA Inc [2024] FCAFC 145
Finding against Zoetis, the Full Federal Court held that Zoetis’ three patent applications relating to pig vaccines were invalid due to the failure to disclose the best method.
The Court’s analysis focused on one of Zoetis’ patent applications (the 535 Application), as the parties agreed that the finding would apply to the other patent applications. The key issue was whether Zoetis’ disclosure of a range of varying antigen concentrations for its investigational vaccine products (IVPs) satisfied the best method requirement. Notably, the antigen concentration disclosed in the specification was provided relative to a reference vaccine, the concentration of which was not disclosed.
The best method arguments centered around the observations in Apotex v Servier that the patentee “has an obligation to include aspects of the method of manufacture that are material to the advantages it is claimed the invention brings“. In addressing this question, the Full Court concluded:
The specific (absolute) antigen concentration was material to the alleged advantages of the claimed invention and therefore had to be disclosed;
Zoetis knew the specific (absolute) antigen concentration that conferred the advantages as it had produced IVPs and conducted trials;
Within the antigen ranges claimed by Zoetis, different experimental compositions demonstrated different levels of efficacy; and
The disclosure of a possible range of concentration of antigens failed the best method requirement as it was not a ‘fair disclosure’ of the best method.
AI Governance: Steps to Adopt an AI Governance Program
There are many factors to consider when assisting clients with assessing the use of artificial intelligence (AI) tools in an organization and developing and implementing an AI Governance Program. Although adopting an AI Governance Program is a no-brainer, no form of a governance program is insufficient. Each organization has to evaluate how it will use AI tools, whether (and how) it will develop its own, whether it will allow third-party tools to be used with its data, the associated risks, and what guardrails and guidance to provide to employees about their use.
Many organizations don’t know where to start when thinking about an AI Governance Program. I came across a guide that I thought might be helpful in kickstarting your thinking about the process: Syncari’s “The Ultimate AI Governance Guide: Best Practices for Enterprise Success.”
Although the article scratches the surface of how to develop and implement an AI Governance Program, it is a good start to the internal conversation regarding some basic questions to ask and risks that may be present with AI tools. Although the article mentions AI regulations, including the EU AI Act and GDPR, it is important to consider state AI regulations being introduced and passed daily in the U.S. In addition, when considering third-party AI tools, it is important to question the third-party on how it collects, uses, and discloses company data, and whether company data is being used to train the AI tool.
Now is the time to start discussing how you will develop and implement your AI Governance Program. Your employees are probably already using it, so assess the risk and get some guardrails around it.
EPA Extends 2024 RFS Compliance Reporting Deadline
The U.S. Environmental Protection Agency (EPA) issued a final rule on March 14, 2025, extending the Renewable Fuel Standard (RFS) compliance reporting deadline for the 2024 compliance year. 90 Fed. Reg. 12109. As reported in our January 8, 2025, blog item, EPA published a proposed rule on December 12, 2024, that would partially waive the 2024 cellulosic biofuel volume requirement and revise the associated percentage standard under the RFS program due to a shortfall in cellulosic biofuel production. 89 Fed. Reg. 100442. As a result of this proposed change, EPA proposes to extend the RFS compliance reporting deadline for the 2024 compliance year. In its March 14, 2025, final rule, EPA does not make final the proposed partial waiver or most of the other proposed amendments to other RFS provisions, instead stating that it may address them in a later action. According to EPA, it expects that the effective date of the revised 2024 cellulosic biofuel standard will not occur until after the March 31, 2025, original 2024 RFS compliance reporting deadline. To provide obligated parties with sufficient time to carry out and adjust their compliance strategies once EPA issues the final revised 2024 cellulosic biofuel standard, it is extending the 2024 RFS compliance reporting deadline from March 31, 2025, to the next quarterly compliance reporting deadline after the effective date of the final rule establishing the revised 2024 cellulosic biofuel standard. EPA states that by operation of law, the 2024 attest engagement deadline would also be extended to the next June 1 annual attest engagement reporting deadline after the revised 2024 RFS compliance reporting deadline. EPA also made several minor amendments and technical corrections to other RFS provisions. The rule was effective March 13, 2025.
THE WHITE COAT DIDN’T BETRAY YOU—THE PIXEL DID: Judge Keeps Florida Wiretap Case Against Hospital Alive
Greetings CIPAWorld!
Your search history reveals more about you than you might realize. If you’ve ever noticed suspiciously specific medical ads appearing after researching health concerns online, you’re not just being paranoid; you’re witnessing sophisticated tracking technologies at work.
A federal court in Florida handed down a decision that should make us pause before typing that symptom into a healthcare website’s search bar. Here, this case involves a patient who claimed her medical searches on Orlando Health’s website allegedly led to targeted Facebook ads for her specific medical conditions. See W.W. v. Orlando Health, Inc., No. 6:24-cv-1068-JSS-RMN, 2025 U.S. Dist. LEXIS 40038 (M.D. Fla. Mar. 6, 2025).
Judge Julie S. Sneed’s ruling in W.W. v. Orlando Health, Inc. denied most of the healthcare provider’s attempts to dismiss the lawsuit, potentially opening the door for closer scrutiny of how medical websites track and share our sensitive health information. As someone who has researched medical information online in the past (who doesn’t these days?), I wondered exactly what happens when I click that “search” button on my insurance carrier’s website.
The Plaintiff alleged she used Orlando Health’s website to research conditions, including ileostomy, heart problems, and fatty liver disease. She later noticed Facebook advertisements popping up for products related to these exact conditions—ileostomy bags, heart failure treatments, and services from Orlando Health neurologists. Coincidence? Plaintiff didn’t think so, and Judge Sneed found her claims plausible enough to proceed.
However, the medical context elevates this case beyond another privacy suit. The Court noted that Orlando Health operates over 100 medical facilities. It encourages patients to use its website to communicate medical symptoms, conditions, and treatments via the search bar and related webpages, including access to appointment booking and the MyChart patient portal. As such, this wasn’t a casual browsing session but an online extension of the doctor-patient relationship.
What makes this case particularly concerning is the nature of the tracking technology itself. Plaintiff alleges that Orlando Health employed tracking tools that operate largely invisibly to users. Judge Sneed acknowledged this reality, noting these technologies are hidden from users’ view and difficult to avoid, even for the particularly tech-savvy user. This creates a troubling power imbalance—patients have no meaningful way to opt out of tracking that they don’t even know is happening.
Even more fascinating is how the court analyzed the claims of the Florida Security of Communications Act (“FSCA”). I think it’s important I highlight the FSCA… after all, I am a Floridian. The FSCA prohibits the intentional interception of electronic communications, and Orlando Health argued that what was being tracked was merely metadata, not the actual content of communications. But Judge Sneed distinguished this case from previous decisions involving commercial websites.
The key difference? Medical searches reveal something fundamentally private about us. For instance, if I decide to search “cardiologist for heart palpitations,” I’m not just clicking links—I’m communicating sensitive information about my health condition. The Court recognized this distinction, noting that information about a user’s medical conditions and healthcare searches constitutes ‘contents’ protected under these statutes.
To break this down further, the FSCA defines “contents” as “any information concerning the substance, purport, or meaning of that communication.” Fla. Stat. § 934.02(7). The Court emphasized that URLs and search queries on a medical website reflect the message Plaintiff sought to convey to Defendant through its website, thus satisfying the statutory standard. Judge Sneed’s approach relied on Black’s Law Dictionary to define “substance,” “purport,” and “meaning,” grounding her interpretation in long-standing legal usage.
As a result, Judge Sneed determined that W.W. successfully alleged all three required elements for an FSCA claim: (1) that Orlando Health intentionally intercepted her electronic communications, (2) that these interceptions captured protected “contents” under the statute, and (3) that she had not consented to this interception. The Court emphasized that Plaintiff has adequately alleged that the electronic communications she claims were intercepted were ‘contents’ as defined by the FSCA.
Orlando Health relied heavily on a Florida case, Jacome v. Spirit Airlines, Inc., No. 2021-000947-CA-01, 2021 WL 3087860, at *1 (Fla. Cir. Ct. June 17, 2021), which involved “session replay” technology tracking users’ movements on a commercial airline website. But Judge Sneed pointed out three crucial differences: first, Jacome involved different tracking technology in a non-healthcare context; second, the very case Orlando Health relied on actually supported W.W.’s position by acknowledging that medical records deserve protection; and third, other courts facing similar healthcare tracking cases have reached conclusions favorable to patients. The Court held that Plaintiff’s claims are predicated on the tracking tools’ interception of her communications… not on the simple fact that her movements on Defendant’s website were tracked.
Moreover, the Court analyzed multiple cases where similar tracking tools on healthcare websites were found potentially liable under wiretap laws. In A.D. v. Aspen Dental Mgmt., Inc., No. 24 C 1404, 2024 WL 4119153, at *5-7 (N.D. Ill. Sept. 9, 2024), the Northern District of Illinois denied a motion to dismiss, finding that URLs containing search terms about medical conditions constituted protected content. Similarly, in R.C. v. Walgreen Co., 733 F. Supp. 3d 876, 885, 903 (C.D. Cal. 2024), the Court found that when tracking technologies shared information about “sensitive healthcare products” with Meta and Google, resulting in targeted ads, this information “reveal[ed] a substantive message about [the p]laintiffs’ health concerns.”
As such, the ruling on the FSCA claim is principally significant because, as Judge Sneed noted, “the FSCA was modeled after the Wiretap Act, [and] Florida courts construe the FSCA’s provisions in accord with the meaning given to analogous provisions of the Wiretap Act.” W.W., 2025 U.S. Dist. LEXIS 40038, at *7. This means the Court’s interpretation of what constitutes “contents” under the FSCA directly influenced its analysis of the federal Wiretap Act claim.
What I found particularly striking was the Court’s reference to the Ninth Circuit’s decision in In re Zynga Priv. Litig., 750 F.3d 1098 (9th Cir. 2014). While that case found that basic website header information wasn’t protected content, it explicitly stated that “a user’s request to a search engine for specific information could constitute a communication such that divulging a URL containing that search term to a third party could amount to disclosure of the contents of a communication.” This distinction has become crucial in healthcare privacy cases, with courts like the Northern District of California in Doe v. Meta Platforms, Inc., 690 F. Supp. 3d 1064, 1076 (N.D. Cal. 2023), recognizing that “a URL disclosing a ‘search term or similar communication made by the user’ ‘could constitute a communication’ under the [Wiretap Act].”
Next, the Court also looked at similar cases in other jurisdictions. In In re Grp. Health Plan Litig., 709 F. Supp. 3d 707, 712, 718, 720 (D. Minn. 2023), a Minnesota Court determined that technology that “surreptitiously track[ed] users’ interactions on the [defendant’s w]ebsites and transmit those interactions to [Meta]” was actionable under the Wiretap Act. Similarly, in Doe v. Microsoft Corp., No. C23-0718-JCC, 2023 WL 8780879, at *9 (W.D. Wash. Dec. 19, 2023), a Washington Court found similar allegations sufficient under California’s Invasion of Privacy Act (“CIPA”).
The Court’s analysis demonstrated a sophisticated understanding of how modern tracking tools actually function. Judge Sneed described how the Facebook Pixel works, explaining that it causes the user’s web browser to instantaneously duplicate the contents of the communication with the website and send the duplicate from the user’s browser directly to Facebook’s server. In a sense, it’s like having a third person secretly photocopy your private medical forms as you fill them out—except it happens digitally, all without your knowledge. That’s a scary thought.
One crucial legal issue the Court had to address was whether Orlando Health could be liable under the Wiretap Act as a party to the communications. Normally, a party to communications can’t “intercept” them under the law. But Judge Sneed found that the “crime-tort exception” might apply, which creates liability when a party intercepts communications “for the purpose of committing any criminal or tortious act.” 18 U.S.C. § 2511(2)(d). This exception has created a split among federal courts, with some like B.K. v. Eisenhower Med. Ctr., 721 F. Supp. 3d 1056, 1065 (C.D. Cal. 2024) rejecting its application, while others like Cooper v. Mount Sinai Health Sys., Inc., 742 F. Supp. 3d 369, 380 (S.D.N.Y. 2024) have held that “A defendant’s criminal or tortious purpose of knowingly disclosing individually identifiable health information to another person in violation of HIPAA may satisfy the crime-tort exception.”
Let’s just think about this for a moment. When you visit your healthcare provider’s website and search for information about a medical condition, you’re effectively having a private conversation about your health. This is a conversation you reasonably expect to stay between you and your provider. Plaintiff alleges that Orlando Health allowed Facebook and Google to listen to this conversation without her knowledge or consent and then use what they heard to sell her things. That’s not just invasive—it’s monetizing vulnerability. The Complaint even describes Meta Pixel and Google’s APIs duplicating real-time communications and sending them to third-party servers without user awareness.
I remember searching for allergy specialists on my insurance provider’s website, only to suddenly see my social media feeds filled with ads for allergy medications. It felt like someone had been reading over my shoulder—because in a digital sense, they had been. This is a troubling loophole in our digital privacy framework. While HIPAA strictly regulates how healthcare providers handle patient information in traditional contexts, the rules often become murky in digital environments. The law hasn’t caught up to the technology, and it’s essential that case law helps close that gap.
The Court recognized other claims as well, including breach of confidence. Judge Sneed emphasized the profoundly personal nature of health information, quoting Norman-Bloodsaw v. Lawrence Berkeley Lab., 135 F.3d 1260, 1269 (9th Cir. 1998): “One can think of few subject areas more personal and more likely to implicate privacy interests than that of one’s health.” Additionally, the Court also allowed unjust enrichment and breach of implied contract claims to proceed, acknowledging that private health information has economic value that healthcare providers shouldn’t be able to exploit without consent. Judge Sneed agreed that Defendant obtained enhanced advertising services and more cost-efficient marketing from the data disclosures, which plausibly conferred a benefit on Orlando Health without Plaintiff’s consent.
In an interesting development for data privacy attorneys, the Court expressly recognized the economic value of personal health information. As Judge Sneed noted, courts should not “ignore what common sense compels it to acknowledge—the value that personal identifying information has in our increasingly digital economy…. Consumers too recognize the value of their personal information and offer it in exchange for goods and services.” W.W., 2025 U.S. Dist. LEXIS 40038, at *32-33 (quoting In re Marriott Int’l, Inc., 440 F. Supp. 3d 447, 462 (D. Md. 2020)).
Interestingly, the Court did dismiss one claim—invasion of privacy by intrusion upon seclusion—finding that Florida law requires an intrusion into a private “place” rather than merely a private activity. As Pet Supermarket, Inc. v. Eldridge, 360 So. 3d 1201, 1207 (Fla. Dist. Ct. App. 2023) specified, “Florida law explicitly requires an intrusion into a private place and not merely into a private activity.” This reveals a gap in privacy law that has not yet adjusted to the digital age, where violations occur in virtual rather than physical spaces.
The irony here is palpable. Healthcare providers are bound by HIPAA and other regulations that severely restrict how they can share our health information in traditional contexts. Yet some providers may allow tech companies to access this information through their websites with far less oversight.
Judge Sneed’s decision aligns with similar rulings in cases like D.S. v. Tallahassee Mem’l HealthCare, No. 4:23cv540-MW/MAF, 2024 WL 2318621, at *1 (N.D. Fla. May 22, 2024), and Cyr v. Orlando Health, Inc., No. 8:23-cv-588-WFJ-CPT (M.D. Fla. July 5, 2023). In Tallahassee Memorial, the Court denied dismissal of identical claims where a healthcare provider allegedly disclosed patient information to Meta and Google through website tracking. Similarly, in Cyr—another case against Orlando Health itself—the Court found the plaintiff’s claims plausible and worthy of proceeding past the pleading stage. This suggests that Courts are increasingly receptive to these digital privacy concerns in the healthcare context.
All in all, healthcare marketers may need to rethink their digital strategies, and patients might finally gain transparency into how their online health searches are being monetized. The next time you search for symptoms online or book a medical appointment through a website, remember that a seemingly private digital conversation might have more participants than you realize.
Behavioral Health Law Ledger | March 2025
Welcome to the Ledger
The March 2025 issue of Greenberg Traurig’s quarterly Behavioral Health Law ledger explores two behavioral health legal developments: proposed legislation in several states that would affect behavioral and mental health operations, including reimbursement for mental health services and enforcement of fraud and abuse laws for substance use disorder facilities; and a rise in hospital closures, including psychiatric hospitals.
Pending Legislation Review: State Legislation that May Impact Behavioral Health
Multiple states have introduced legislation with may affect behavioral and mental health operations on a state level.
Legislation on Behavioral Health Operations
Colorado
Colorado Senate Bill 25-042 proposes to empower Colorado’s Behavioral Health Administration to address reimbursement shortages for behavioral health services and to fill in gaps in Colorado’s continuum of care for behavioral health crises. On an operational level, this would increase the number of reimbursable days for inpatient mental health services from 15 days to 60 days. In addition, this bill proposes to amend how involuntary mental health holds are handled and would change the discharge requirements for patients admitted on involuntary mental health holds.
Possible effects: Should this bill pass, we anticipate changes relating to reimbursement for mental health services in Colorado, which may improve accessibility gaps that persist. Nevertheless, even if the bill does not pass, this legislation demonstrates Colorado legislators’ focus on behavioral health in the state and continues the trend of improving access to, and reimbursement for, behavioral health services state-wide.
California
California Senate Bill 35 proposes to revise existing enforcement and increase scrutiny on substance use disorder (SUD) recovery facilities within California. Operationally, this bill would authorize the suspension and/or revocation of SUD facilities’ licenses for facilities who engaged in patient brokering and other kickback schemes. This bill would also empower city and district attorneys to enforce these measures, thereby potentially increasing local enforcement and scrutiny.
Possible effects: This is the second bill on scrutiny into SUD recovery facilities to be introduced since the passage of California’s Ethical Treatment for Persons with Substance Use Disorder Act (Cal. Health & Safety Code § 11857 et seq.) in 2022. Should this bill pass, it would strengthen enforcement of fraud and abuse laws for SUD facilities. However, even if the bill does not pass, this proposed legislation demonstrates a continued focus on and prioritization of SUD facility compliance within California.
Legislation on Mental Health Services and Education
Eighteen states have proposed legislation regarding education around maternal mental health. These states are Alabama, Arizona, California, Connecticut, Georgia, Maryland, Massachusetts, Minnesota, Mississippi, New Hampshire, New Jersey, New Mexico, Oklahoma, Tennessee, Virginia, and West Virginia.
These proposed bills include legislation to provide coverage for perinatal and post-partum depression screening, extending delivery and post-natal care to fee-for-service models to improve care outcomes, improving patient and practitioner education on maternal mental health, and legislation commissioning studies on SUDs and behavioral health concerns within maternal mental health.
Together, these bills represent a continued state-level shift towards prioritizing mental health on a populational level. Should these bills pass, we anticipate potential changes in reimbursement and covered services on a state level, as well as further research into this field.
Rise in Hospital Closures May Reduce Accessibility of Behavioral Health Services
In 2025, there has been a large increase in closures of hospitals, including psychiatric hospitals. To date in 2025, at least 13 hospitals have closed their doors or announced imminent closures. In almost every case, the hospital administrators have stated that the decision to cease operations was caused by financial and operational considerations, including reimbursement challenges and ongoing labor shortages.1 At least one other hospital has shuttered its inpatient psychiatric wing following ongoing concerns regarding its patient census and reimbursement.2
Of the 13 hospitals to have closed or announced imminent closure, two are in Colorado, where an additional hospital-based behavioral health provider is also closing (or at least reorganizing and relocating its operations elsewhere). On March 1, 2025, Johnstown Heights Behavioral Health ceased operations. West Springs Hospital closed effective March 10, 2025. Each of these hospitals cited ongoing financial and operational struggles that influenced these closures. Finally, West Pines Behavioral Health, a hospital-based behavioral health provider, has announced it will close its Lutheran Hospital campus operations effective March 31, 2025.3 Much of its staff and operations appear to have been relocated to the new West Pines Behavioral Hospital, which is a fairly new adult (with adolescent and senior inpatient services coming in the near future) psychiatric hospital in Westminster through the partnership of Acadia Healthcare and Intermountain Health that was initially licensed as a psychiatric hospital in December 2024.4 Including the new addition of West Pines Behavioral Hospital, there are now eight psychiatric hospitals in Colorado, two of which are run by the state of Colorado, and all eight of which are on the front range urban corridor of Colorado.
These closures come on the heels of the Center for Healthcare Quality and Payment Reform’s February 2025 Report stating that “[m]ore than 700 rural hospitals—one-third of all rural hospitals in the country—are at risk of closing because of the serious financial problems they are experiencing. Over 300 of these rural hospitals are at immediate risk of closing because of the severity of their financial problems.” In light of ongoing nationwide financial struggles of health care providers, including psychiatric hospitals and those serving rural populations, behavioral health patients may face reduced accessibility for behavioral and mental health care, especially on Colorado’s western slope, despite increasing need for such service access in recent years.
1 See 10 hospital closures in 2025 – Becker’s Hospital Review | Healthcare News & Analysis.
2 See Endeavor cuts jobs amid service reductions – Becker’s Hospital Review | Healthcare News & Analysis.
3 See generally Nearly 500 behavioral health workers in Colorado have been laid off in the past 3 months | The Colorado Sun.
4 See Colorado to get more mental health bed options, new hospital amid “near crisis” | the Colorado Sun.
Oregon Court of Appeals Issues Three Different Defense Opinions
Oregon’s Court of Appeals was busy issuing three different defense opinions on March 19, 2025. Circuit court errs by awarding attorneys’ fees based on a contingency fee.The first was Griffith v. Property and Casualty Ins. Co. of Hartford, where a homeowner submitted a fire loss and alleged the insurer did not pay the benefits owed quickly enough. The insureds filed a complaint, the insurer answered, and then a global settlement occurred. The insureds then filed a motion for summary judgment seeking prejudgment interest per ORS 82.010 as well as attorneys’ fees per ORS 742.061(1). They also sought costs as a prevailing party. The circuit court denied interest because no judgment had been entered and costs because there was no prevailing party, but granted $221,179.27 in attorneys’ fees. Both sides appealed. The insureds’ appeal about prejudgment interest was rejected for procedural reasons. The circuit court order on costs was affirmed because there was no prevailing party. Griffith is noteworthy only for its ruling about attorneys’ fees. The insurer did not dispute that ORS 742.061(1) applied or that the insureds were entitled to attorneys’ fees. It disputed only how the circuit court calculated the amount of the award. The circuit court determined that amount was a percentage of the insureds’ recovery. The Court of Appeals held that this was error.
When an award of attorneys’ fees is permitted, ORS 20.075 provides factors to determine the amount to award. Its factors generally align with the lodestar method. Although a percentage of the recovery might be appropriate in some circumstances, Griffith concluded the “lodestar method is the prevailing method for determining the reasonableness of a fee award in cases, such as this, involving a statutory fee-shifting award, even when, as here, the insured has retained counsel on a contingency-fee basis.” Further, the award “must be reasonable; a windfall award of attorney fees is to be avoided.” The Court of Appeals concluded using a percentage of the recovery was inappropriate in this instance. This is because coverage was never disputed, and the claim was immediately accepted. By the time the complaint was filed, the insurer had made several payments and was still adjusting the loss. There was minimal litigation and the delay paying the full claim “was caused by circumstances outside of the parties’ control.” The Court of Appeals ultimately concluded that the insureds had not met their burden to demonstrate the fees they sought were reasonable. The case was remanded to redetermine the fees owed.
No really, the recreational use statute applies to a city park.In Laxer v. City of Portland, the plaintiff entered Mount Tabor Park to “walk its trails” but tripped and fell due to a hole in the pavement. The plaintiff sued the City, but the circuit court granted the City’s motion to dismiss based on Oregon’s recreational use statute, ORS 105.682. The plaintiff appealed. Among other arguments, the plaintiff argued the paved road in the park was like a public sidewalk and thus exempt from ORS 105.682. The Court of Appeals concluded that while there are limits to ORS 105.682, “generally available land connected with recreation” is still typically protected. Since Mount Tabor Park is clearly connected with recreation, the dismissal was affirmed.
Defense verdict affirmed in slip-and-fall case.In Fisk v. Fred Meyer Stores, Inc., where a customer slipped “on a three-foot by five-foot laminated plastic sign, which had fallen from its stand onto the public walkway.” The sign belonged to the store and was placed there by store employees. The case was tried and produced a defense verdict.
On appeal, the customer conceded there was no evidence to prove the store (1) placed the sign on the ground, (2) knew the sign was on the ground and did not use reasonable diligence to remove it, or (3) the sign had been on the ground for enough time that the store should have discovered it. The customer instead argued the circuit court erred by not giving a res ipsa loquitur instruction. Although Oregon case law has concluded res ipsa loquitur does not apply to slip and falls, the customer argued this was not a slip and fall because an object caused the fall.
Fisk affirmed the circuit court’s refusal to give the res ipsa loquitur instruction. The customer’s attempted legal distinction was meaningless. “We agree with defendant that because plaintiff slipped on an object on the ground, plaintiff’s claim is correctly characterized as a slip-and-fall claim.”
From Seizures to Strategy: The U.S. Government’s Move Toward a National Crypto Reserve
Following President Trump’s March 6 Executive Order establishing a Strategic Bitcoin Reserve, released alongside a White House Briefing, the U.S. government has taken its most formal step yet toward integrating digital assets into national economic and security policy. The order outlines a broader strategy to manage and expand the federal government’s holdings of Bitcoin and other designated cryptocurrencies through the creation of a Strategic Bitcoin Reserve and U.S. Digital Asset Stockpile.
While many details remain forthcoming, existing government practices around crypto asset custody, combined with reporting on the administration’s plans, offer a glimpse into how the reserve may operate in practice.
Bitcoin: The Foundation of the Reserve
The executive order calls for the formation of a Strategic Bitcoin Reserve, leveraging the U.S. government’s existing crypto holdings—estimated to exceed 200,000 BTC based on seizures of crypto in connection with illicit activities. These assets are already under federal control and provide a ready base for the reserve.
The Department of Justice (DOJ) has historically overseen management of some of the U.S. government’s crypto assets under its Digital Asset Forfeiture Program. The U.S. government has also contracted with third-party institutional crypto custodians to provide secure custody, wallet management, and liquidation services for seized crypto assets. The U.S. Marshals Service, a unit of the DOJ, has also periodically offered crypto for sale, just as it does with artwork, vehicles and other assets forfeited to the government in various criminal, civil and administrative cases.
However, the White House Briefing points out shortcomings in the U.S. government’s current crypto asset management protocols, including that assets are scattered across multiple Federal agencies, leading to a non-cohesive approach where options to maximize value and security of crypto holdings have been left unexplored. Additional measures could include multi-signature wallet storage, layered access controls, segregated storage (as opposed to pooling crypto assets in one omnibus wallet), strategic portfolio management, and specialized regulatory oversight via the Presidential Working Group on Digital Asset Markets.
Beyond Bitcoin: The Digital Asset Stockpile
In addition to Bitcoin, the executive order also calls for the creation of a U.S. Digital Asset Stockpile, which will include four cryptocurrencies, reportedly selected for their market relevance, technical resilience, and utility in decentralized finance (DeFi) and cross-border settlement use cases. The rationale, as outlined in a White House briefing, is to ensure the United States maintains influence and optionality in emerging blockchain ecosystems while encouraging domestic innovation.
To date, no details have surfaced regarding a formal acquisition program for these assets or how the crypto asset portfolio will be managed.
Putting It Into Practice: The launch of the Strategic Bitcoin Reserve and Digital Asset Stockpile marks a watershed moment in U.S. crypto policy. This policy signals a clear shift toward legitimizing digital assets as sovereign financial instruments and could prompt other nations to consider similar reserves (for our previous discussions on recent developments in the ongoing shift in U.S. crypto policy, see here, here, here, and here). This development also suggests the U.S. intends to play an active role in shaping global crypto governance—not only through regulation, but also through participation and ownership.