The Next Wave of ADA Website Accessibility Lawsuits Against Alcohol Suppliers
The increasing popularity of online shopping has made e-commerce businesses – specifically those in the alcohol beverage industry – a frequent target for costly litigation. In lockstep with the continued prevalence of website accessibility cases, plaintiff firms are sending pre-suit demand letters to alcohol suppliers and, in some cases, filing a state or federal court lawsuit. These lawsuits, which are typically filed in California, Florida, or New York, involve claims that a supplier’s website is not accessible to individuals who are blind in violation of Title III of the Americans with Disabilities Act (ADA) and related state laws. In these cases, plaintiffs seek attorneys’ fees, damages (only under state law), and injunctive relief that would require the website to conform with the Web Content Accessibility Guidelines (WCAG) standards, which have been broadly adopted by courts and regulators.
While many e-commerce companies, including alcohol suppliers, have turned to “accessibility widgets” to improve WCAG compliance, these quick-fix solutions are not always what they seem. More than 25% of all website accessibility lawsuits in 2024 (more than 1,000) were brought against businesses that used widgets, with many plaintiffs explicitly citing widget features as alleged obstacles to accessibility. Widget developers have also faced scrutiny. The Federal Trade Commission recently leveled a $1 million fine against one such company for falsely claiming that its widgets “make any website complaint.” Therefore, relying solely on widgets to comply with WCAG standards has proven ineffective and could render e-commerce businesses vulnerable to website accessibility lawsuits.
To prevail on a website accessibility claim, plaintiffs must first show that a defendant is a private entity that owns, leases, or operates a “place of public accommodation.” Courts, however, are split on what it means for a website to be considered a place of public accommodation under Title III of the ADA. While some jurisdictions require a “physical nexus” between the website and a brick-and-mortar store, other jurisdictions have permitted these cases to go forward against a website-only company that does not own or operate any physical retail location. Even so, the “physical nexus” test is applied by a majority of federal courts and was recently adopted by the most active court for ADA website litigation in the country: the US District Court for the Southern District of New York. This development will likely add to an emerging trend of website accessibility plaintiffs resorting to state courts in search of more favorable laws.
In addition to establishing that the supplier’s website is a place of public accommodation, the plaintiff must satisfy certain jurisdictional requirements that will depend on whether products can be purchased directly from the website and whether the supplier ships to the state in which the suit was filed. Leveraging these defenses (among others) will be critical when it comes to either convincing the plaintiff to withdraw the claim, filing a motion to dismiss, or achieving an early resolution on favorable terms.
Due to the rise in these website accessibility lawsuits, we encourage industry members to take a proactive approach by:
Training personnel on accessibility requirements and WCAG standards.
Testing their website against WCAG standards (through independent consultants or user testing) and retaining testing documentation to demonstrate that users with disabilities can fully use the website.
Assessing potential areas of nonconformance with WCAG standards.
Working with internal and external technical teams to implement accessibility features into the website.
Developing an accessibility policy that informs users about the company’s accessibility practices.
Considering including a link to their website accessibility policy on every webpage, including a reporting option that is appropriately routed to address accessibility issues.
Regularly auditing their website to assess its level of accessibility (particularly after website updates).
Prioritizing manual audits over “quick fixes,” like accessibility widgets.
Engaging legal counsel to minimize litigation risk associated with website accessibility issues, including whether the ADA is applicable to the company’s website in light of the current state of the law.
My Health, My Dollar: Amazon’s Health Data Troubles in Washington
Amazon faces allegations of unauthorized data collection in violation of federal and state privacy laws, including a first-of-its-kind claim under Washington’s My Health My Data Act (“MHMDA”).
The MHMDA restricts businesses from collecting, sharing, or selling any-health related information about a consumer without their consent of “valid authorization”, going beyond the typical protections provided by the Health Insurance Portability Accountability Act (“HIPAA”).
The case against Amazon brings into focus the potential repercussions for companies dealing in health-related data and using modern internet tracking technologies for the operation of their websites.
Businesses—especially those dealing in health-related data—must scrutinize their data privacy practices to ensure alignment with an ever-evolving legal landscape.
* * *
Privacy and health law experts no longer need to hold their breath: the first major lawsuit under Washington’s recently enacted MHMDA was filed against Amazon. (Maxwell v. Amazon.com, Inc., No. 2:25-cv-00261 (W.D. Wash. Filed Feb. 10, 2025)). In broad terms, the Western District of Washington lawsuit alleges that Amazon violated federal wiretapping laws and Washington state privacy and consumer protection rules by gathering location data via its software development kits (“SDKs”), which it then used for targeted advertising and third party data sales, all without affirmative user consent or valid authorization.
At the heart of Maxwell is the alleged violation of the MHMDA. Under the MHMDA, a violation is deemed an unfair or deceptive act under the Washington state consumer protection statute (the “Washington CPA”). The case underscores the growing risks companies engaging with consumer health information face in the modern privacy era.
Washington’s My Health My Data Act
Enacted in April 2023 and effected March 2024, MHMDA (HB 1155) represents a significant stride toward enhancing privacy protections related to health data within Washington. Emerging from growing concerns surrounding the misuse of reproductive health data, the Act aims to safeguard personal health information from unauthorized collection, storage, or sale, except where explicit consent is given by individuals.
Specifically, the MHMDA states that a regulated entity or a “small business” may not collect or share any consumer health data except “with consent from the consumer for such collection for a specified purpose” or “to the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business.” The Act also applies to a wider range of consumer health data than what is typically covered under HIPAA, obliging entities falling under its scope to meticulously manage health-related data practices and paving the way for increased scrutiny over the efficacy of those practices in protecting sensitive consumer information.
Notably, the MHMDA grants a private right of action to impacted plaintiffs, with remedies that include actual damages and attorney’s fees (plus the potential for an additional award of trebled damages) under the Washington CPA.
Maxwell v. Amazon
The Maxwell case marks the debut of the first private right of action for a MHMDA violation. The putative class action complaint alleges that Amazon improperly accessed and monetized user data obtained through certain location-based apps (e.g., OfferUp and the Weather Channel) equipped with its SDKs, taking advantage of geolocation functions inherent in them. According to the lawsuit, these apps transmitted sensitive information, including biometric and precise location data, which might reflect individuals’ engagements with health services or attempts to acquire or receive health services or supplies—a direct breach of the MHMDA’s stringent privacy mandate.
In addition, the complaint alleges that beyond not obtaining consumer consent, Amazon did not make certain MHMDA-required disclosures, such as failing to: “clearly and conspicuously disclose the categories of consumer health data collected or shared; the purpose of the collection or sharing of consumer health data; the categories of entities with whom the consumer health data is shared; and how the consumer can withdraw consent from future collection.to disclose prior to the data collection the categories of consumer health data collected or shared, the purpose of such alleged data collection, the categories of entities with whom the consumer health data is shared; and how the consumer can withdraw consent from future collection.”
According to the plaintiff, Amazon defies the prohibitions outlined by both federal statutes and the MHMDA because users were unaware of—and thus did not consent to—Amazon’s full data access when using those apps. The complaint asserts that when a mobile app using Amazon’s SDK requests location data access, users are “not provided with an opportunity to grant or deny access to Amazon as well.” The suit seeks not only injunctive relief to halt data practices lacking user consent but also damages for the purported privacy violations.
While the outcome remains uncertain, the first-of-its-kind case will serve as a critical data point in evaluating the MHMDA’s strength and definition in legal environments, drawing parallels to prior claims under California’s privacy laws.
Key Takeaways
Implicated business navigating this novel territory will want to pay close attention to the Maxwell case.
More importantly, those businesses should be sure to normalize regular assessments of their privacy policies and tracking technology functionalities to ensure compliance with, among the patchwork of state privacy laws across the country, the MHMDA.
Legal counsel should guide companies involved in the data-driven market in tailoring strategies to mitigate privacy risks, avoiding hefty fines and legal disputes.
What Honda’s CCPA Penalty Means for Your Privacy Compliance
The California Privacy Protection Agency (CPPA) has reached a settlement with American Honda Motor Co., Inc. (Honda), as outlined in this Order of Decision. The Order is the CPPA’s first public enforcement action involving a significant monetary penalty of $632,500, arising from its investigation into the privacy practices of connected vehicle manufacturers that began in July 2023.
The CPPA asserted that Honda violated the California Consumer Privacy Act (CCPA) by requiring consumers to undergo an extensive identity verification process, including for requests where verification is not permitted under the CCPA. Honda’s process for accepting data subject requests through authorized agents also included unnecessary and non-permitted steps.
Additionally, the CPPA asserted that Honda’s cookie management platform violated the CCPA, as it required a two-step process for opting out of advertising cookies and tracking technologies while consenting (or reconsenting) to cookies required just a single click, making it more burdensome to opt out of, rather than consent to such data processing. Honda was also unable to produce any of its contracts with third party advertising vendors to show that they were implementing the required contractual provisions under the CCPA.
To resolve the CPPA’s allegations, Honda has agreed to pay $632,500 in monetary penalties and revise its privacy practices, including implementing a simpler process for consumers to exercise their privacy rights, minimizing data collection for verification purposes and modifying its contract management and tracking processes.
The CPPA’s Order signals an intent to hold businesses accountable for their data subject request processes. Below are some steps you can take to ensure compliance and mitigate the risk of similar penalties:
Revisit your process for responding to data subject requests and ensure that your verification process is appropriately tailored.
Review (or implement) a process for receiving, verifying and responding to data subject requests.
Review your contracts with vendors to confirm they include the required provisions.
Assess (or implement) your cookie management platform to ensure opt-out processes are simple and symmetrical.
New York Attorney General Reaches $650,000 Settlement with Student Social Networking App Developer Over Privacy Violations
On March 7, 2025, New York Attorney (“NY AG”) General Letitia James announced a $650,000 settlement with Saturn Technologies Inc. (“Saturn”), the developer of the Saturn App, a social networking app geared towards high school students and built around customized school calendars.
In its action against Saturn, the NY AG alleged that the company promised at various times between 2018 and August 2023 to verify users’ school email credentials to ensure (1) that the Saturn App did not allow non-students to join and (2) only users from the same school could interact with each other on the app. The NY AG alleged that, in contrast to these promises, Saturn stopped authenticating high school email credentials in 2021, thereby permitting users from different high schools to message each other and allowing “unverified” non-students to join with almost complete access to all Saturn App features. The NY AG alleged that these practices violated New York Executive Law § 63(12), which prohibits engaging in repeated fraudulent acts in the carrying on, conducting, or transaction of business. The NY AG also alleged that Saturn engaged in deceptive trade practices, violating both New York General Business Law § 349 and Section 5 of the FTC Act.
The AG’s investigation also determined that Saturn:
Did not screen out new users based on birth date to determine they were high-school aged until August 2023, and continues to not screen out fraudulent users based on location.
Copied users’ contact books (with names, personal phone numbers, and other contact information) and continued using the information even when users updated their settings to deny the Saturn App access to their contacts.
Implemented a “friendship verification” process with security vulnerabilities, which enabled unverified users to continue to access certain personal information of verified Saturn App users.
Promoted the Saturn App through other high school students (“Student Ambassadors”) without disclosing that those students received compensation for completing assigned marketing tasks.
Failed to keep sufficient records regarding data privacy, data permissions, user verification, and user privacy.
Under the terms of the settlement, Saturn must pay $650,000 in penalties and costs, provide users under the age of 18 with enhanced privacy options (including hiding social media links from non-friends for all new users under the age of 18 by default), document all changes related to user privacy policies and procedures, submit its user interface for NY AG approval, and develop a marketing training program.
The settlement agreement also requires Saturn to:
Notify users regarding app verification changes and provide them with options to modify privacy settings.
Prompt all users under 18 to review their privacy settings every six months.
Refrain from making future claims about user safety or verification unless the company has a reasonable basis for making the claim based on competent and reliable scientific evidence.
Limit the information about non-Saturn App-users that can be entered into the App by Saturn App users (i.e., the non-Saturn App user’s class enrollment or event attendance).
Allow teachers to block student names, initials or other personal identifiers from appearing in the Saturn App’s class schedule feature.
Delete retained copies of the phone contact books of certain users.
Hide the personal information of current users under 18 until Saturn Technologies obtains informed consent to the new Saturn App terms.
ONCE A BUSINESS NUMBER NOT ALWAYS A BUSINESS NUMBER: Court Finds Shelton Can Sue For B2B Calls to Number That He Used to Use for Business Purposes But Not Anymore
One of the most commonly asked questions I receive is whether B2B calls made to numbers on the DNC list are legal.
It is a bit of a tricky answer. I fully explore it here.
Quickly: the DNC prevents calls to residential numbers, so the purpose of the call does not matter, only the use of the number called. And when a number is used both for business and for residential purposes it is considered a “mix use” number and counts as a residential line.
In essence, therefore, B2B calls to a cellular phone on the DNC list are simply not safe to make without EBR or permission because there’s generally no way to know if the number is a business or residential line.
Just to drive that point home, imagine a situation where a cellular phone was actually found–by a court– to be a business line and a resulting TCPA suit was dismissed as a result of calls to that exact number.
Such a number would be safe to call as a business line right?
Wrong.
Check this out.
In Shelton v. Pro Source 2025 WL 817485 (E.D. Pa March 14, 2025) the Plaintiff–the famous James Shelton–brought suit for allegedly unsolicited marketing calls to his cell phone.
Now this was the very same cell phone number that was previously found to be a business number that was not protected by the DNC rules in Shelton v. Target AdvanceLLC, No. 18-2070, 2019 WL 1641353 (E.D. Pa. Apr. 16, 2019). There the judge held because Plaintiff “held his phone number out to the world as a business phone number” he lacked standing under the TCPA on that claim.
Five years later a lady named Brittney Wilson, an employee of Pro Source Lending Group LLC, called that very same cell phone number apparently in an effort to offer Mr. Shelton a business loan.
Shelton sued Brittney personally–as well as her employer–arguing that he had since STOPPED using the phone for business purposes and that it is now just his residential phone.
Brittney and co. moved to dismiss and guess what? The Court sided with Shelton and found that because he has stopped using the phone for business purposes five years ago his phone was, once again, a residential number.
The Court was also unmoved by the fact that Shelton had filed so many TCPA suits and had hired a lawyer–Andrew Perrrong–who, himself was previously a serial litigant. Indeed, the Court pointed out this “dynamic duo” had joined forces to bring this suit:
In this case, James Shelton, a prolific plaintiff, and his counsel, Andrew Roman Perrong, equally prolific as a litigator under the TCPA, have joined forces to file a class complaint against Defendants.
But the court determined that Shelton’s volume of litigation alone did not bar him from bringing suit.
Last, the Court held that Ms. Wilson can be sued personally for the calls at issue. The Court followed the majority of cases that have found an employee, agent or officer of a company engaged in conduct that violates the TCPA can be personally liable for that conduct. The fact she made the call for her employer is irrelevant.
Because she allegedly made the calls at issue from her cell phone she can be personally liable to Plaintiff–and potentially the class.
Eesh.
Take aways:
B2B cold calls ae extremely dangerous; and
Personal lability under the TCPA lurks everywhere. This lady picked up her cell phone to make the calls at issue and was still sued personally. Don’t hang your employees out to dry! Get good counsel and protect yourself (and them).
Chat soon.
“OFF THE RAILS”: Court Refers to Parties in TCPA Suit as “Incompeten[t]” As it Issues Sanctions And I Have Never Seen Anything Like It
You can read thousands of decisions and never see one like this.
Trust me, I know.
In Delfgauw v. Barton 2025 WL 814484 (W.D. Wash. March 13, 2025) the Court opens its ruling with the following words:
[T]his order is about the incompetence and misconduct of the parties that have prevented resolution of this matter for nearly four years. To put it bluntly, this case has gone off the rails in terms of how civil litigation is supposed to proceed in federal court.
My goodness.
Just a couple of pieces are worth noting here.
First, the parties submitted a stipulation admitting the defendant had intentionally destroyed evidence. Crazy right?
Except the parties disagree about whether the stipulation should have been filed or not. Barton says it should have been. Defendant disagrees and says the version striking that line was the only one they agreed should have been filed.
But the Court was not impressed and stated: “The Court will not allow Defendants to simply disregard their own unambiguous stipulation by arguing they should be relieved of the consequences of their stipulation because they failed to diligently review it.”
The Court went on to question the capabilities of the defense counsel: Regardless of how it occurred, the Court is incredulous how any member of the bar could sign and submit a stipulation that their client purposefully destroyed evidence to deprive an adversary of it, absent actual knowledge that such an extraordinary event had occurred.
Indeed.
As a result the Court ordered defendant and his counsel to show cause why they should not be additionally sanctioned.
Meanwhile the defendant also produced call recordings more than two years after the close of discovery despite holding onto the records the entire time.
In the recordings, however, Barton is caught claiming he is named Ivette Martinez, a fact the Court finds disturbing and “circumstantial” evidence Barton may have set up the lawsuit. As a result the court ordered additional discovery as to the issues of the recordings.
So…yeah.
Make sure you have GOOD TCPA defense counsel folks. That’s the take away.
Telehealth Companies and Social Media Influencers May Face New FDA Laws
On February 20, 2025, U.S. Senators Dick Durbin (D-IL) and Roger Marshall, M.D. (R-KS) introduced bipartisan legislation, the Protecting Patients from Deceptive Drug Ads Act (the Act), which closes perceived “legal loopholes” in social media advertisements by telehealth companies. The Act would require the U.S. Food & Drug Administration (FDA) to target false and misleading prescription drug promotions by social media influencers and telehealth companies.
Background
Whether or not telehealth companies are under FDA jurisdiction when marketing and promoting prescription drugs has been under debate since The New York Times published its 2019 article, Drug Sites Upend Doctor-Patient Relations: ‘It’s Restaurant-Menu Medicine’. The report called into question whether telehealth companies are — or ought to be — subject to FDA oversight when advertising drugs and medical devices. Subsequent investigative reporting alleged how some telehealth companies ran ads on social media describing benefits of prescription drugs but failing to describe the risks of these drugs. Reporters claimed telehealth companies promoted drugs for unapproved uses or featured “testimonials” without disclosing whether or not the testimonials came from actual patients or were from paid actors or company employees.
Under the Federal Food, Drug, and Cosmetic Act (FDCA), advertisements for prescription drugs may not be false, lacking in fair balance, or otherwise misleading. Any advertisements for prescription drugs (with the narrow exception of exempt reminder ads), must present a true statement of information in brief summary relating to side effects, contraindications, and effectiveness. The term “side effects, contraindications” means side effects, warnings, precautions, and contraindications, and also includes any such information under such headings as cautions, special considerations, important notes, etc.
Some have claimed these FDCA legal requirements, although clearly applicable to drug manufacturers, packers, and distributors, do not apply to telehealth companies and associated medical providers because the telehealth company and their associated providers are not addressed in the FDCA and not included in the definition of “firm” under applicable FDA Guidance documents. Under this argument, telehealth companies and their associated providers are not subject to these drug advertising laws in their direct-to-consumer marketing campaigns. Former FDA Commissioner Robert Califf observed how a number of online advertisements by telehealth companies fail to give the complete risk-benefit story (something drug manufacturers must do), as he noted how the FDA lacks the legal authority to regulate the advertising activities of such telehealth companies.
What’s Next?
If signed into law, the Protecting Patients from Deceptive Drug Ads Act would extend FDA’s jurisdiction to specifically include market surveillance of social media influencers and health care providers for whom a financial benefit exists when such communications contain false or inaccurate statements, omits labeling or other key facts regarding a medication, or fails to include traditional risk and side effect disclosures. The Act authorizes FDA to issue warning letters and civil penalties for non-compliance.
The Act is a bipartisan effort and the controversy surrounding telehealth advertising of prescription drugs is not new. We do not anticipate this issue will fade away soon, although similar legislation previously proposed did not pass. Whether this bill can garner sufficient support remains to be seen. What is clear is there is a growing concern among federal policymakers about what they consider unsafe and imbalanced advertisements for prescription drugs by telehealth companies. Given this climate, a best practice is to ensure advertisements and marketing campaigns are reviewed by skilled advisors who can maintain the effective impact of direct-to-consumer promotions while reducing the legal risk of non-compliant advertising campaigns. As the Act moves through Congress, we will provide updates.
Want to Learn More?
Regulation of Digital Health Products by FDA
FDA’s Final Rule on Direct-to-Consumer Advertising – Presentation of Risk Information
DTC Promotional Labeling and Advertisements: Quantitative Efficacy Wins Over FDA in Final Guidance on Presenting Risk Information
Scientific Information on Unapproved Uses of Medical Products: FDA’s Final Guidance on Firm Communication to Health Care Providers
Turning Up the Heat – Ofcom Ramps Up Pressure for Platforms under the Online Safety Act
From today, online platforms are expected to have risk assessments in place to understand how likely it is for its users to encounter illegal content on their service.
Over 100,00 services are estimated to be in scope under the Online Safety Act (OSA), whether they are user-to-user services or search engines. There is no requirement for service providers to have a physical presence in the UK to be in scope, only if they “have links to the UK”, so it is likely that most service providers that offer online services to UK customers must comply with the duties under the OSA.
In addition to the 17 priority illegal content that service providers must conduct a risk assessment for, there are also over 40 recommended measures that Ofcom expects service providers to implement over the course of the next few months and to ‘comply or explain’ if they are not implemented.
Under the Microscope
Ofcom is likely to take a pragmatic approach and prioritise larger sites as well asthose at a higher risk of presenting illegal harms. However, Ofcom has made it clear that everyone under the OSA must comply with their duties or else, they could pay fines of up to £18m or 10% of global turnover, whichever is higher
Suzanne Cater, Enforcement Director at Ofcom has made it clear that “Platforms must now act quickly to come into compliance with their legal duties … make no mistake, any provider who fails to introduce the necessary protections can expect to face the full force of our enforcement action.”
Ofcom has also opened an enforcement programme to review measures taken to prevent image-based child sexual abuse material from being published or disseminated. Given Ofcom has identified smaller file-sharing and file-storage providers, and written to them in relation to their OSA duties, this shows that everyone under the OSA will likely be reviewed and be under the microscope in terms of its compliance with the OSA.
Risk Assessments
There are a number of upcoming deadlines for risk assessments that service providers should be mindful of, including the 16 March deadline which has just passed. Upon completing the risk assessments, Ofcom have indicated there will be a ‘forbearance period’ of up to six months to implement the recommended measures and enforcement will be taken pragmatically.
16 March 2025: Platforms should have completed their illegal harms risk assessments and implement recommended measures by September 2025.
16 April 2025: Platforms to complete their children’s access risk assessment.
July 2025: Platforms must complete children’s risk assessments and implement appropriate safety measures by February 2026. All services that provide adult content must also implement highly effective age assurance.
On the Horizon
Further guidance is expected from Ofcom later this year as it seeks to implement the next phases of the OSA, this includes the protection of children, women and girls, and guidance for categorised services which is likely to include transparency reports much like the EU’s Digital Services Act.
The consultation on the draft guidance for how to protect women and girls online is also open to set out what measures can be taken by service providers. The consultation closes 23 May 2025 and is available here.
Next Steps
In the immediate short term, service providers should focus on completing the relevant risk assessments and begin implementing the recommended measures to the specifications outlined by Ofcom.
Ofcom has made it clear that although it will take a pragmatic approach with enforcement, everyone is expected to comply with their legal duties under the OSA and everyone will be reviewed one way or another. Therefore, it is vital that service providers make sure they comply with the OSA as soon as possible because Ofcom will be turning up the heat on enforcement.
Not Much of a Thank You: TRICARE Contractor Resolves $11M False Claims Act Liability for Known Cybersecurity Violations
February 2025 saw an important False Claims Act settlement involving allegations of known cybersecurity failures by Health Net Federal Services Inc. (HNFS), a government contractor that provides TRICARE healthcare management services to active duty military members and their families. HNFS as well as its parent corporation Centene agreed to pay just over $11 million to resolve alleged false claims submitted to the U.S. Department of Defense.
While American values dictate that we thank service members for their role in protecting our freedoms, this government contractor instead chose to submit false claims in order to keep up their deal with the Department of Defense. Ultimately, it was taxpayers who footed the bill for fraud and false claims with government contractors. Taxpayers should never pay for shoddy services, especially not when it comes to healthcare and protecting personal and sensitive data relating to military members and their families.
The Allegations Against Health Net Federal Services, LLC and Centene Corporation
According to the DOJ, parent corporation Centene and its subsidiary Health Net Federal Services (HNFS) failed to meet these minimum cybersecurity protocols between the period of 2015 and 2018 while providing data management services to the U.S. Department of Defense through its administration of TRICARE. HNFS may have exposed U.S. service members’ personal and health data, as well as that of their families, due to failing to scan for known vulnerabilities and patching known security flaws. The networks and systems maintained by HNFS during this three year period were reported by third party security auditors as well as the company’s own internal audit department for being inadequate in terms of:
Asset management
Access controls
Flawed configuration settings
Weak firewalls or lack of firewalls in use
End-of-life hardware and software in place
Lack of patch management
Vulnerability scanning
Shoddy password policies
HFNS not only allegedly failed to install updates from vendors that would have countered known threats; they also allegedly falsely certified compliance with annual reports to DHA in order to keep their government contract with TRICARE. In order to resolve these allegations, the company Centene Corporation, which acquired all shares of HFNS as well as its liabilities, has agreed to pay $11,253,400. The matter was resolved in collaboration with the U.S. Department of Justice Civil Division’s Commercial Litigation Branch (Fraud Section) and the U.S. Attorney’s Office for the Eastern District of California, as well as with assistance from the DoD Office of Inspector General, the DCIS, Cyber Field Office Western Region, the Inspector General’s Office of Audits, Cyberspace Operations Directorate, and the DoD’s Defense Contract Management Agency, Defense Industrial Base Cybersecurity Assessment Center.
What Is TRICARE?
TRICARE is a federal health insurance program administered by the U.S. Department of Defense and its contracts. TRICARE provides healthcare coverage to qualifying members of the U.S. military and their families, including:
Active duty service members and their families
National Guard and Reserve members and families
Medal of Honor recipients and their families
Survivors
Children
Former spouses
TRICARE is similar to Medicare in that it is a primary health insurance provider funded by taxpayer dollars and administered by a federal agency. While Medicare covers older Americans ages 65 and up, TRICARE provides medical, dental, and pharmacy coverage for U.S. military members, veterans, and family members. Because of this, TRICARE also maintains personal and sensitive data for military members, including some confidential location information for active duty personnel. Like all health data, TRICARE records include HIPAA-protected information and other confidential information, which can be exposed to data breaches by criminal hackers and contractors who do not take their cybersecurity obligations seriously. TRICARE breaches are especially troubling because they can lead to the unlawful dissemination of protected information that compromises individual health privacy and potentially national security.
Federal Healthcare Programs Are Vulnerable to Cybersecurity Breaches
Acting U.S. Attorney Michele Beckwith for the Eastern District of California spoke about the HNFS settlement, saying “Safeguarding sensitive government information, particularly when it relates to the health and well-being of millions of service members and their families, is of paramount importance. When HNFS failed to uphold its cybersecurity obligations, it didn’t just breach its contract with the government, it breached its duty to the people who sacrifice so much in defense of our nation.”
Both healthcare and defense spending for government contracts are two of the most at-risk areas for fraud, waste, and abuse. Taxpayers lose billions of dollars every year to government contractors and healthcare organizations that take advantage of federal healthcare programs like Medicare, Medicaid, and TRICARE, with an estimated 10% of program expenses at risk. Meanwhile, the Government Accountability Office reports that the U.S. Department of Defense is particularly vulnerable to false or fraudulent claims involving overbilling, billing for work never performed or services not rendered to beneficiaries, fraudulent bid submissions, non-competitive bids, the provisions of substandard parts or services, and the failure to disclose data breaches and other cybersecurity risks.
How Whistleblowers Can Protect Americans Through the False Claims Act
Under the U.S. Department of Justice’s Civil Cyber Fraud Initiative, private companies that contract with the federal government are obligated to uphold certain minimum cybersecurity standards. When they fail to do so, or falsely certify compliance with cybersecurity requirements, they can be held accountable under the False Claims Act for treble damages and penalties to the federal government. Through a qui tam lawsuit, whistleblowers who report on these kinds of violations can also receive a percentage of the government’s total recovery. These percentages can range from 10% to 30% of the final settlement. The False Claims Act imposes treble damages upon violators, as well as individual penalties for each false claims of up to $13,946 to $27,894 per violation. The law also allows whistleblowers (known as relators) who meet certain eligibility requirements and are the first to report cybersecurity fraud, government contractor fraud including DOD fraud, or healthcare fraud a reward for their inside information.
Whistleblowers can come from all walks of life and may include current or former employees of any potential defendant such as employees of government contractors, health care entities, or any regulated company, non-employees (examiners, competitors, clients, customers, auditors, reviewers, consultants, industry experts), anyone with evidence and knowledge of fraud involving government money. As long as you come forward willingly and in a timely manner you may be able to bring a qui tam case with the help of a qui tam lawyer and recover a reward. There are also additional protections for employees, including cybersecurity professionals, who speak up. These may include:
The option to initially report anonymously through a qui tam law firm
A federal right of action to sue for reinstatement if you are fired from your company as a result of your protected disclosure
Up to double back pay with interest from the period during which you were demoted, suspended, or let go
Possible front pay, in cases where reinstatement is not possible
Additional damages and attorneys’ fees.
FCC Seeks Comment on Quiet Hours and Marketing Text Messages
We recently published a blog about a slew of class action complaints alleging that marketing text messages cannot be sent between the hours of 9:00 pm and 8:00 am (“Quiet Hours”) unless the recipient provides prior express invitation or permission to receive such messages during Quiet Hours (“Quiet Hour Claims”). As noted, based on the plain language of the Telephone Consumer Protection Act (“TCPA”), we disagree with this argument because marketing text messages already require prior express written consent from the called party. The Ecommerce Innovation Alliance (EIA) and others filed a petition for declaratory ruling (“Petition”) with the Federal Communications Commission (“FCC”) to address this application of Quiet Hours to marketing messages.
On March 11, 2025, the FCC released a Public Notice asking for comment on the Petition. So, the FCC, and its Consumer and Governmental Affairs Bureau, have moved quickly to seek public comment on the questions raised by the petitioners.
Initial comments are due by April 10; with reply comments due by April 25. The FCC will then consider the record in contemplating a decision. There is no requirement or specific deadline for the agency to take action on the Petition. However, the plethora of Quiet Hour Claims being filed could encourage relatively prompt FCC action to clarify the rules.
OCC Clarifies Banks’ Role in Cryptocurrency Activities
On March 7, the OCC issued Interpretive Letter 1183 and an accompanying statement affirming prior guidance regarding whether national banks and federal savings associations may engage in cryptocurrency-related activities, including (i) providing custody services for depositors’ crypto assets, (ii) holding stablecoin “reserves,” (iii) facilitating stablecoin payments, and (iv) performing payment verification activities on blockchain networks. Importantly, the letter also rescinded the OCC’s Interpretive Letter 1179, which required banks to obtain written supervisory non-objection before engaging in these cryptocurrency activities.
What This Means for Banks
Specifically, banks are authorized to:
Offer Crypto-Asset Custody Services: Banks are authorized to hold unique cryptographic keys associated with customers’ cryptocurrency wallets, allowing them to hold cryptocurrency products on depositors’ behalf.
Maintain Stablecoin “Reserves”: Generally, stablecoins are a type of cryptocurrency designed to maintain a stable value. Their value is often pegged to fiat currencies, such as the U.S. dollar. Issuers of stablecoins may desire to place assets in a reserve account with a bank to provide assurance that the issuer has sufficient assets backing the stablecoin (usually on a 1:1 basis). Banks may now hold stablecoin reserves on behalf of stablecoin issuers.
Verify Blockchain-Based Payments: Banks are authorized to participate in blockchain networks by validating, storing, and recording on-chain transactions as a form of payment processing, which includes facilitating stablecoin transactions. The OCC has stated that it views blockchain-based payment facilitation as an evolution of traditional banking functions.
The OCC also clarified that while national banks and federal savings associations may engage in these activities, they must align with sound risk management practices and ensure compliance with applicable laws, including making sure they have adequate capital and liquidity to support crypto-related operations.
Putting It Into Practice: The OCC’s statement offers insight into the new administration’s perspective on banks’ roles in the rapidly evolving crypto ecosystem and coincides with other federal regulators, including the Securities and Exchange Commission, shifting their crypto-related priorities (previously discussed here). By eliminating the requirement for supervisory non-objection, the OCC signals a shift in its regulatory approach, aiming to reduce barriers for banks exploring crypto-related services. As the regulatory landscape evolves, financial institutions should closely monitor further guidance from the OCC and other federal agencies to adapt their crypto compliance strategies accordingly.
Listen to this post
CPPA Fines Honda $632,500 for CCPA Violations
On March 12, 2025, the California Privacy Protection Agency (“CPPA”) announced that it reached a settlement with American Honda Motor Co. (“Honda”) in which Honda will pay a $632,500 fine to resolve claims that the company violated the CCPA. The enforcement action comes as part of the CPPA’s ongoing investigation into connected vehicle manufacturers, which began in 2023.
Specifically, the CPPA alleged that Honda violated the CCPA’s privacy rights provisions by:
requiring California consumers to provide excessive personal information to exercise their rights, including the opt-out of sale/sharing right (which is not a right that must be verified with consumers’ personal information);
using an online privacy rights management platform that did not offer consumers their privacy choices in a symmetrical or equal way (in violation of the requirement in Section 7004(a)(2) of the CCPA Regulations to provide symmetry in choice when offering consumers more privacy-protective options, and not create a more difficult path for consumers to exercise such options); and
not providing a user-friendly method for authorized agents to submit privacy rights requests on consumers’ behalf.
The CPPA also alleged that Honda failed to provide to the CPPA copies of its contracts with ad tech providers containing the required CCPA contract provisions.
As part of the settlement Honda agreed to (1) pay the $632,500 fine, (2) implement a new and simpler process for consumers to submit privacy rights requests, (3) consult a user experience (UX) designer to evaluate its methods for submitting privacy requests, (4) train employees on CCPA compliance, and (5) change its contracting process with recipients of consumer personal information to ensure compliance with the CCPA.