United States: Wiretaps in the Web Code? The Asset Management Pixel Litigation Explained
Earlier this month, two investors filed a putative class action challenging the deployment of third-party tracking tools—including the Meta Pixel, LinkedIn Insight Tag, and Google Analytics—on the website and mobile app of a major asset management firm.
Similar to previous class action litigation in healthcare, retail, and other industries, this lawsuit claims that these tools are deployed without user consent, in violation of state anti-wiretapping statutes (such as the California Invasion of Privacy Act) and the federal Wiretap Act.
The plaintiffs allege that the tools at issue captured real-time account logins, trade instructions, fund tickers, and search queries, and then funneled that data—paired with unique identifiers—to the third-party platforms for advertising and analytics. The complaint seeks certification of nationwide and statewide classes, along with aggregated, classwide damages for each purported statutory violation.
The case is in its early stages, and the asserted claims appear vulnerable to multiple challenges—both on the merits and at class certification—including the lack of common classwide injury, and the likelihood of user consent via applicable privacy policies. In the meantime, asset management and investment firms with similar online properties may wish to consider the following steps:
Inventory every tag. Identify all third-party scripts that load, particularly behind authenticated investor pages.
Pause sensitive flows. Disable any code that transmits account or transaction data until consent and data-minimization strategies are assessed and validated.
Update notices and banners. Review disclosures to site users— especially as part of annual privacy evaluations.
Pixels and similar tools that once seemed like innocuous adjuncts to online marketing may present significant class action risk if not properly analyzed and deployed. If your digital stack includes social media driven analytics, now is the time to audit, remediate, and evaluate disclosures
Washington State Expands Sales Tax, Increases B&O and Capital Gains Taxes
On May 20, Washington Gov. Bob Ferguson signed into law several bills aimed at closing Washington’s projected $16 billion budget gap, which were passed as part of 2025–27 operating budget.
Interested parties closely monitored the signing of these bills, especially SB 5814, which significantly expands Washington’s sales tax. The bill includes advertising services—generally digital—within the tax base, raising concerns from both in-state and out-of-state companies based on the lack of detail provided regarding the sourcing of such services. While the governor did not veto SB 5814, Washington legislators are aware of the concerns and additional action on this issue is expected.
Key Details of the Tax Changes Impacting Businesses and High-Net-Worth Individuals
Business and Occupation (B&O) Tax Changes: HB 2081 includes numerous B&O tax increases and modifies when the B&O investment deduction applies. This latter change was made in response to the Washington Supreme Court’s recent decision in Antio, LLC v. Dep’t of Revenue,1 essentially codifying the department’s position on that deduction. Notable B&O tax increases include:
–
A temporary 0.5% surcharge on a business’ taxable income in excess of $250 million beginning Jan. 1, 2026, and continuing through Dec. 31, 2029;
–
A permanent rate increase from 0.484% to 0.5% for certain categories of business activity (including manufacturing, wholesaling, and retailing) beginning Jan. 1, 2027;
–
A permanent rate increase from 1.75% to 2.1% for the services and other activities category for businesses with over $5 million in annual revenue beginning on Oct. 1, 2025;
–
A permanent rate increase from 1.2% to 1.5% for the financial institutions surcharge beginning on Oct. 1, 2025; and
–
A permanent rate increase from 1.22% to 7.5% for the advanced computing surcharge as well as an increase to the annual cap of $75 million beginning on Jan. 1, 2026.
Retail Sales Tax: SB 5418 expands the state sales tax to include many personal, business, and professional services, including digital advertising services, IT support, landscaping services, software training, tattoo services, data processing, website development, graphic design, temporary staffing services, and search engine marketing. SB 5418 also makes several modifications to Washington’s digital automated services provisions and provides that services between members of an affiliated group will be exempted. These changes are set to take effect Oct. 1 of this year.
Capital Gains Tax: SB 5813 creates a new capital gains tax top bracket of 9.9% for gains in excess of $1 million, retroactively applying from the beginning of this year (Jan. 1, 2025).
This is not an exhaustive list of all the changes that were made in conjunction with the state budget revisions but does reflect some of the key issues that may impact businesses and high-net-worth individual taxpayers. With the governor signing all of these bills, the Department of Revenue may begin to develop rules and policies on many of these new or expanded programs in the near future. Policy discussions may continue as cleanup legislation, and a special legislative session seems likely.
1 557 P.3d 672 (Wash. 2024).
HHS-OCR Risk Analysis Enforcement Initiative Continues Under New Administration
In April 2025, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR)[1] announced a settlement marking its eighth enforcement action in its Risk Analysis Initiative.[2] Since its introduction in October 2024, the initiative already has resulted in combined settlement payments of nearly $900,000 from eight different health care organizations.
When announcing the initiative in October 2024, the OCR Director stated that “failure to conduct a HIPAA Security Rule risk analysis leaves health care entities vulnerable to cyberattacks, such as ransomware. Knowing where your ePHI is held and the security measures in place to protect that information is essential for compliance with HIPAA.”[3] The Director expressed that OCR created the initiative to “highlight the need for more attention and better compliance with this Security Rule requirement.”
The initiative follows a compliance audit conducted by OCR in 2016–2017, from which OCR concluded that only 14 percent of covered entities were substantially fulfilling their regulatory responsibilities to safeguard ePHI through risk analysis activities.[4]
Notably, the two most recent settlements under the risk analysis initiative were obtained in February 2025 and announced in April 2025, indicating that the Trump Administration is continuing to pursue the initiative first announced by the Biden Administration. The ongoing enforcement initiative underscores the importance of health care organizations understanding the Security Rule’s requirements and conducting a proper risk analysis.
What Exactly Is a Risk Analysis?
HIPAA’s Security Rule requires organizations to conduct a “risk analysis” that includes “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by a covered entity or business associate.”[5]
According to HHS,[6] conducting a risk analysis is the “first step” and a “foundational element” in an organization’s Security Rule compliance.[7] However, the Security Rule does not specify a precise methodology for conducting a risk analysis.[8] According to HHS, “there are numerous methods of performing [a] risk analysis and there is no single method or ‘best practice’ that guarantees compliance with the Security Rule.”[9] While this grants organizations some flexibility, it also creates uncertainty as to precisely what constitutes compliance with the risk analysis requirement.
To reduce some of this uncertainty, HHS issued guidance on “several elements a risk analysis must incorporate, regardless of the method employed.”[10] Those elements include the following:
Document where ePHI is stored and transmitted (data inventory and mapping). The scope of the risk analysis must include all ePHI in all forms of electronic media. Examples include portable devices such as thumb drives, laptops, and mobile phones as well as individual desktops, email accounts, fax machines, printers, network storage devices such as file servers and backup servers, cloud storage servers, and electronic medical record (EMR) servers. Other examples may be specific to an organization’s practice, such as a medication dispensing system or imaging devices, if they store or transmit ePHI. The risk analysis should include an inventory that identifies and documents all places where ePHI is stored or transmitted and map how data flows to, from, and within the organization.
Document Potential Threats and Vulnerabilities. For each place where ePHI is stored or transmitted, the organization must identify and document reasonably anticipated threats and vulnerabilities to ePHI in each location. For example, if ePHI is stored and transmitted in email accounts, one vulnerability is a compromise of the credentials for the email account. If ePHI is stored and transmitted on the local hard drives of portable devices such as laptops or smartphones, another vulnerability is unauthorized access to the data on the device, should it be lost or stolen.
Document Current Security Measures. For each place where ePHI is stored or transmitted, the organization must document its current security measures protecting that location from threats and vulnerabilities. Using the example of portable devices, the organization may encrypt locally stored data at the hardware level or implement remote access tools that administrators can use to delete the device’s contents.
Determine the Level of Risk. While the Security Rule does not specifically define “risk,” HHS guidance defines risk as a function of (1) the probability that a particular threat will trigger or exploit a particular vulnerability and (2) the impact to the organization should this occur. HHS recognizes that this process could be quantitative or qualitative. For example, an organization could quantify risk on a scale of 1 to 10. Alternatively, an organization could characterize risk as low, medium, or high.
Document Risk Analysis. The organization must document the results of its risk analysis, including each step of the process outlined above. A short summary report will likely not be sufficient to demonstrate that the risk analysis was “accurate and thorough.” Documenting the risk analysis is especially important when an organization is being audited by OCR after experiencing a data breach, as OCR often requests copies of all risk analysis reports going back as far as six years.
Repeat Analysis. HHS recognizes that the Security Rule does not specify how frequently an organization must perform a risk analysis. HHS guidance states that organizations should conduct risk analysis annually, biennially, or every three years. However, the department’s recent Notice of Proposed Rulemaking would require organizations to conduct a risk analysis at least annually.[11] HHS guidance also maintains that organizations should conduct a risk analysis whenever an organization makes a material change to its operations. HHS provides examples of situations that might require an updated risk analysis, including a security incident, a change in ownership, turnover in key staff or management, or the incorporation of new technology.
Common Deficiencies
The HHS Senior Advisor for Cybersecurity presented a webinar in October 2023 that elaborated on the risk analysis requirements.[12] During the webinar, the presenter emphasized that a risk analysis must be “accurate and thorough,” noting that a common deficiency in risk analyses is the failure to conduct an inventory of all systems that store or transmit ePHI. The presenter also acknowledged that organizations often conflate a HIPAA compliance gap assessment with a risk analysis, which are two different things.
Other common deficiencies include the use of template forms or generic tools in conducting a security risk analysis. OCR has specified that the risk analysis must pertain to the specific operations of the organization. Template forms and generic tools may fail to account for the unique aspects of an organization’s network and fail to identify specific risks posed to that environment.
Where to Begin
Again, the Security Rule allows organizations flexibility in how they conduct their risk analysis. HHS points to NIST Special Publication 800-30 as one example of a guide for conducting a risk analysis.[13] In addition, the Office of the National Coordinator for Health Information Technology (ONC), in collaboration with OCR, developed a Security Risk Assessment Tool (SRA Tool). The SRA Tool is a computer application designed to walk health care organizations through the steps of a risk analysis.[14]
While the SRA Tool may be helpful as a starting point, HHS maintains that it is provided for informational purposes only.[15] HIPAA does not require its use, and its use does not guarantee compliance with HIPAA.[16] Fundamentally, the SRA Tool still requires organizations to make their own judgments regarding the probability, impact, and risk posed by any particular threat or vulnerability.
For support in identifying threats and vulnerabilities, making judgments about risk, and developing risk management plans, organizations often engage subject matter experts such as cybersecurity firms and law firms to help conduct a risk analysis. In light of OCR’s ongoing enforcement initiative and the risks posed by cybersecurity incidents, health care organizations will benefit from conducting a thorough risk analysis at their earliest opportunity.
[1] The OCR within HHS is the primary enforcement agency for HIPAA. They conduct investigations, compliance reviews, and take enforcement actions against covered entities that violate the Privacy or Security Rules.
[2] U.S. Dept. of Health and Human Services, “HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Neurology Practice” (April 25, 2025) available at https://www.hhs.gov/press-room/ocr-hipaa-racap-np.html (last accessed May 14, 2025).
[3] U.S. Dept. of Health and Human Services, “HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation for $90,000” (October 31, 2024) available at https://us.pagefreezer.com/en-US/wa/browse/0a7f82bb-be6e-448a-ae11-373d22c37842?url=https:%2F%2Fwww.hhs.gov%2Fabout%2Fnews%2Findex.html×tamp=2025-01-19T07:02:28Z (last accessed May 14, 2025)
[4] 90 FR 915
[5] 45 C.F.R. § 164.308(a)(1)(ii)(A).
[6] As the arbiter of HIPAA regulations, HHS is also charged with providing guidance to medical providers as to interpreting and implementing the requirements set forth by the regulations.
[7] U.S. Dept. of Health and Human Services, Office for Civil Rights, “Guidance on Risk Analysis” (July 14, 2010), available at https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html (last accessed May 14, 2025).
[8] Id.
[9] Id.
[10] Id. Notably, OCR issued a Notice of Proposed Rule Making in January 2025, seeking to amend the Security Rule’s risk analysis requirement to explicitly incorporate these elements. 90 FR 898.
[11] 90 FR 1012.
[12] OCR Webinar: The HIPAA Security Rule Risk Analysis Requirement, available at https://www.youtube.com/watch?v=hxfxhokzKEU (last accessed on May 14, 2025).
[13] U.S. Dept. of Health and Human Services, Office for Civil Rights, “Guidance on Risk Analysis” (July 14, 2010), available at https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html (last accessed May 14, 2025); see also NIST SP 800-30, available at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf?language=es (last accessed May 14, 2025).
[14] Office of the National Coordinator for Health IT, “Security Risk assessment Tool,” available at https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool (last accessed May 14, 2025)
[15] Id.
[16] Id.
EXPENSIVE LOSS: #BigLaw Firms Charge Volkswagen Over $2.2MM in Fees and Costs– Settle TCPA Class Action For $275,000 Individually Anyway (GROSS!)
For anyone wondering what the cost of TCPA class action defense looks like when you retain #biglaw, buckle up because I have a fantastic story for you.
A while back a guy named Brian Trenz sued Volkswagen in a TCPA class action.
The suit apparently arose out of the actions of some companies called On-Line Administrators, Inc. dba Peak Performance Marketing Solutions, On-Line Administrators, LLC, and Affinitiv, Inc–at least they ended up owing VW indemnity, but we will get to that.
So VW goes off and hires two large firms to defend it. Faegre and Baker Hostetler.
Now if you’re a TCPAWorld reader you already know that was a mistake. But how big of a mistake? Let’s find out.
Well after litigating the case for years the big law firms finally got the case settled for $275,000.00 on an individual basis.
Eesh.
So many opinions on that.
But it gets so much worse.
These two lovely law firms apparently billed Volkswagen–wait or it– $2,245,305.62 in attorneys fees to defend the suit.
Over $2.2MM to defend a TCPA class action suit folks.
Now, as mentioned, the Peak defendants were apparently on the hook for indemnity. So after the case settled–and all those fees were paid to defend the suit– VW turned around and hired more lawyers to sue Peak to recover the $2.2MM.
Here’s where things get REALLY interesting.
In order to recover its fees, the Defendant needed to demonstrate the demanded fees were reasonable.
The Peak defendants hired an expert to look at the #biglaw billing entries and–surprise surprise– the expert found the billing to be wildly inefficient, duplicative, and just flat unreasonable.
Yeah, nobody surprised there.
Nonetheless the court determined the $2MM+ charged by #biglaw was actually mostly reasonable!
In Volkswagen Group v. On-Line Administrators 2025 WL 1503120 (C.D. Cal May 27, 2025) the court essentially determined paying two law firms over $2MM in fees is actually pretty smart considering that the TCPA class action had over $2BB in potential liability.
The Court’s reasoning was essentially the amount #biglaw spent on the stuff it did was not too high– but the Court (and Peak’s expert) missed that the stuff it did SHOULD NEVER HAVE BEEN DONE had the case been litigated properly.
Ironically, therefore, Peak screwed up by retaining an expert to review the BILLING practices of #biglaw as opposed to the LITIGTION practices.
For instance, had the case been competently handled in my view it would never have been certified. And a million in fees could have been avoided easily. But… whatever.
The Court did find some of #biglaws billing practice to be unacceptable, but only trimmed the fees by a moderate ~7%. So Volkswagen was entitled to recover just over $2MM in fees although it had to take a bit of a haircut.
In terms of the settlement itself, the Court determined “Volkswagen’s $275,000 settlement was reasonable and is recoverable in full.”
Think about that.
A guy gets a few phone calls and settles his case INDIVIDUALLY for $275,000.00 because the defendant hired #biglaw.
THIS is why TCPA class actions have doubled year-over-year. THIS is why TCPA class actions are overrunning our courts. THIS is why small businesses are getting hit with shake down lawsuits daily.
Get sued in a TCPA class action– thank #biglaw.
By comparison, Troutman Amin, LLP handles multi-billion dollar exposure TCPA class litigation in federal court EVERY SINGLE DAY. While I cannot reveal settlement amounts it is public record that we do CLASS settlements in the $275,000.00 range– not individual settlements.
Our results CRUSH those like happen here and we NEVER spend millions to defend a single TCPA suit. Absolutely nuts.
If you want to waste millions in fees and LOSE, by all means hire #biglaw.
If you want to get better results for way less money, hire the guys who actually know what the hell they’re doing.
But at the end of the day Volkswagen won, sort of.
Sure it had to eat millions of dollars in fees and have its settlement publicly disclosed but now it has spent some unknown amount of additional money to obtain a judgment against the Peak defendants who will now probably try to negotiate the settlement down or just declare bankruptcy and not pay it.
And that leads to the ultimate take aways here:
Be INCREDIBLY careful with who you work with for outbound calling or lead generation. Just because someone gives you an indemnity agreement does not mean it is worth the paper it is printed on– and even if it is you may still have to defend resulting TCPA lawsuit all the way to judgment.
Be INCREDIBLY careful about who you retain to defend you in TCPA class litigation. This is literally a multi-million dollar decision and it DOES matter. Many people don’t know that #biglaw attorneys will try to sell you to work with their partners while taking secret kick backs they don’t tell you about. Totally unethical but it happens all the time.
The exposure in these cases is wild. And companies will pay hundreds of thousands of dollars to settle these suits individually just to get out from under #biglaw’s bills. This, of course, just incentivizes more lawsuits. But that’s the way it goes.
Michigan AG Sues Roku Over Alleged Privacy Violations
The Michigan Attorney General has filed a complaint against Roku, a popular TV content platform, alleging, among other things, violations of the Children’s Online Privacy Protection Act and the Video Privacy Protection Act (and a similar Michigan law). As most are aware, COPPA requires prior parental consent before collecting information from children online. It gives standing to both the FTC and to states’ attorneys general, but no private right of action. Most cases brought since COPPA’s passage have been brought by the FTC, however, and not by states. This current Michigan case comes after a group of 43 states, including Michigan, sent a letter to the FTC urging it to strengthen and update its COPPA Rule.
In this lawsuit, Michigan claims that Roku collected children’s names, device IDs, locations, voice recordings, and other personal information without getting parental consent. Roku also shared this information with advertisers and data brokers to serve targeted ads to children. This activity occurred on the kids and family channel of Roku, and other areas of the Roku service that were targeted to children. Unlike competitors’ services, the complaint alleges, Roku does not have the ability to create child profiles, which profiles would have permitted parents to moderate and control their children’s use of the services.
According to the Michigan AG, Roku knew that it was collecting personal information from children, and was an operator of an “online service” as defined by COPPA. As such, it should have gotten parental consent from parents before collecting and sharing personal information from children. It also should have had appropriate notice of these practices in its privacy policy as contemplated under COPPA. The AG also alleged violations of the state’s unfair and deceptive trade practice laws, as well as counts relating to VPPA as – it alleged – Roku is a video tape service provider under that law, which impacts the ability to disclose information about people’s viewing habits to third parties.
Putting it Into Practice: For companies that are directed to or have actual knowledge of collecting information online from children under 13, this case is a reminder that state attorneys general can bring COPPA cases. We may see other, similar, actions in the future. It also suggests what AGs will view as an “online service” under the law, beyond a mere website.
Listen to this post
James O’Reilly also contributed to this article.
The Intersection of AI, Digital Health, and the TCPA: What You Need to Know
Artificial intelligence (AI) is widely transforming digital health, including by automating certain patient communications. However, as health care companies consider deploying AI-driven chatbots, texting platforms, and virtual assistants, they should not forget about the highly consequential, and highly litigated, Telephone Consumer Protection Act (TCPA).
Many digital health companies mistakenly assume that they only need to consider the Health Insurance Portability and Accountability Act (HIPAA) when considering whether to text or otherwise communicate with patients via various means. HIPAA governs the privacy and security of protected health information. The TCPA, by contrast, protects consumer rights around how and why patients are contacted.
The TCPA has become a key regulatory consideration for any digital health company that uses technology to communicate with patients by telephone or text message. As AI enables more scalable and automated outreach, understanding the TCPA’s boundaries is key to ensuring regulatory compliance and avoiding costly litigation.
Why the TCPA Matters in an AI-Enabled Health Environment
The TCPA restricts certain calls and texts made using an “automatic telephone dialing system” (ATDS), as well as prerecorded or artificial voice messages, without prior express consent. When such communications are made for marketing purposes, prior express written consent may be required. Even health care companies that use AI-powered systems to send appointment reminders, refill prompts, or wellness check-ins by telephone or text — as opposed to marketing, user engagement, or upselling services — may fall within the TCPA’s scope, especially if those communications are automated. Note that although the TCPA includes exemptions for certain health care messages, there are numerous parameters for meeting this exception and we urge caution in relying on it.
Even though the Supreme Court’s 2021 decision in Facebook v. Duguid narrowed the definition of an ATDS, TCPA compliance remains a moving target. Further, some states have their own version of the TCPA that may define ATDS or similar technology in a different way. This creates real legal risk even for digital health companies with no robocall or telemarketing intent.
AI Chatbots and Virtual Assistants: Are They “Artificial Voices”?
One of the most pressing legal questions, and a focus of plaintiffs’ attorneys, is whether AI-powered voicebots or chatbots qualify as “artificial or prerecorded voice” communications under the TCPA. Although the Federal Communications Commission’s (FCC) 2024 ruling clarified that AI-generated voices fall into this definition, reaffirming that these types of communications are subject to the TCPA’s consent requirements, the legal landscape remains unsettled.
Courts continue to wrestle with how this interpretation applies to emerging technologies like chatbots, especially text-based systems that do not emit sound but still automate patient communication. Some plaintiffs argue that such AI technology, even if it responds dynamically to user input, meets the statutory definition of “artificial voice” because it lacks a live human on the line. If courts agree, this could impose significant restrictions on AI-driven patient engagement tools unless proper consent is obtained.
The FCC’s authority, although influential, does not fully preempt judicial interpretation, and differing court decisions may shape how the TCPA applies to various forms of AI-powered communication. As a result, companies must stay alert to both regulatory guidance and case law developments.
What Digital Health Companies Should Do Now
Below are four practical steps to stay on the right side of TCPA compliance in the AI era:
1. Conduct a TCPA Risk Assessment
Review all patient outreach channels (SMS, voice, chat, etc.) and determine which systems are AI-driven or automated. Flag any that fall within the TCPA’s scope. Consider any differing requirements under state versions of the TCPA applicable to your business.
2. Audit Your Consent Flows
Ensure that your consent language clearly distinguishes between HIPAA and TCPA compliance. For marketing communications, confirm you have prior express written consent. Consider “marketing” to be broadly defined.
3. Consent is King
When in doubt, obtain prior express written consent for communications in your user flow.
4. Monitor Litigation Trends
Stay current on case law developments regarding AI, chatbots, and “artificial voice” interpretations. Legal interpretations are evolving quickly.
Final Thoughts
AI is revolutionizing patient communication, but it can also amplify regulatory exposure. The TCPA remains a favorite tool for class-action lawsuits, and digital health companies should treat it with the same seriousness as they treat their HIPAA compliance.
As AI capabilities grow, the gap between innovation and regulation is widening. Thoughtful contracting, consent design, and legal review can help digital health companies lead with compliance, while still delivering smarter, scalable care.
Another FCA Cybersecurity Settlement Reinforces the Enforcement Trend
A recent United States Department of Justice (DOJ) announcement highlights the fact that the government’s emphasis on cybersecurity enforcement under the False Claims Act (FCA) is not slowing down. According to the press release, four companies — RTX Corporation (RTX), Raytheon Company (Raytheon), Nightwing Group LLC, and Nightwing Intelligence Solutions LLC (collectively, Nightwing) — agreed to pay US$8.4 million to settle an FCA matter arising from a qui tam relator’s suit alleging that Raytheon and its former subsidiary failed to comply with cybersecurity requirements in federal contracts.
The Raytheon Settlement
Raytheon’s former director of engineering, Branson Kenneth Fowler, Sr., filed the qui tam suit in August 2021. Federal defense contractors and subcontractors like Raytheon are required to implement certain cybersecurity controls outlined in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). But, according to this lawsuit, Raytheon allegedly failed to meet these requirements in connection with its work on federal contracts. The allegations centered on Raytheon’s internal network system, referred to as “DarkWeb.” Raytheon allegedly (a) used DarkWeb to store, transmit, and develop protected information in connection with its work on certain defense contracts even though that system failed to comply with NIST SP 800-171’s cybersecurity requirements; and (b) failed to develop the requisite system security plan for this internal system.
Notably, Raytheon notified certain government contractors, in May 2020, that it believed its information system did not comply with federal cybersecurity regulations and subsequently deployed a replacement system, ceasing to use DarkWeb. But according to the settlement, Raytheon’s alleged failure to implement these mandated security requirements on DarkWeb rendered false all claims for federal contracting work performed on DarkWeb.
The defendants deny these allegations but agreed to pay US$8.4 million to resolve the allegations. As the qui tam relator, Mr. Fowler will receive over US$1.5 million in connection with the settlement.
Finally, the conduct giving rise to the qui tamsuit occurred between 2015 and 2021 — years before Nightwing purchased RTX’s cybersecurity business in 2024. This illustrates the significant risk of successor liability and underscores the importance of assessing a target’s cybersecurity compliance as part of due diligence.
Recommendations
Given those risks, defense contractors and other recipients of federal funds (including colleges and universities) should consider the following steps to enhance cybersecurity compliance and reduce FCA risk:
Catalogue and monitor compliance with all government-imposed cybersecurity standards. Ensure your organization has a comprehensive list of all cybersecurity requirements and covered systems in your organization. These requirements may come not only from prime government contracts but also subcontracts, grants, or other federal programs. This includes not only ongoing knowledge of the organization’s contracts but also continuously monitoring and assessing the organization’s cybersecurity program to identify and patch vulnerabilities and to assess compliance with those contractual cybersecurity standards. This assessment should also consider third-party relationships.
Develop and maintain a robust and effective compliance program that addresses cybersecurity issues. In many companies, the compliance program and information security functions are not well integrated. An effective compliance program will address cybersecurity concerns and encourage employees to report such concerns. When concerns are identified, it is critical to escalate and investigate them promptly.
Where non-compliance with cybersecurity standards is identified, organizations should evaluate potential next steps. This includes whether to disclose the matter to the government and cooperate with government investigators. Organizations should work with experienced counsel in this regard. Proactively mapping out a strategy for investigating and responding to potential non-compliance can instill discipline to the process and streamline the organization’s approach.
Implement robust diligence for compliance with cybersecurity requirements in mergers and acquisitions. As this settlement shows, liability arising from an acquired entity may be imposed on the acquiring entity in some instances. Due diligence processes should seek to identify cybersecurity requirements in contracts (whether contracts with the government or private actors) and obtain verification of compliance. If that level of due diligence is not possible before closing a deal, it is important to conduct that assessment soon after closing so that problems can be identified and remediated promptly.
States Move Forward with Privacy Protections to Close HIPAA Gaps for Health, Reproductive Health Info
Takeaways
Multiple state laws are strengthening protections for health data, increasingly going beyond HIPAA, healthcare providers and health plans.
Certain categories of health information, such as reproductive health, have greater privacy protections.
Organizations cannot look solely to HIPAA when assessing privacy compliance.
Related links
My Health, My Data Act (Washington State)
Washington State’s My Health, My Data Act Sent to Governor
Nevada’s Governor Signs Health Data Privacy Act
Virginia Amended Consumer Protection Act (SB754)
California Consumer Privacy Act, California Privacy Rights Act FAQs for Covered Businesses
Colorado Becomes Third State to Enact a Comprehensive Privacy Law
Article
When it comes to safeguarding health data, the Health Insurance Portability and Accountability Act (HIPAA) is paramount. HIPAA’s extensive reach encompasses nearly all healthcare providers and all health plans, affecting just about every American. However, its coverage is not complete. States are stepping in to address the gaps and tackle specific areas of concern, such as reproductive health information.
Businesses will want to closely monitor state law developments even if they are not healthcare providers or health plans covered by HIPAA. This is especially important for businesses operating across multiple states. Even for covered entities or business associates under HIPAA, certain aspects of state laws still may raise compliance issues to consider.
To illustrate, consider the laws of Washington, Nevada, Virginia, and New York.
Washington
Washington’s My Health, My Data Act is considered one of the first comprehensive state laws addressing certain health data not covered by HIPAA. The legislative findings explain part of the thinking:
Washingtonians expect that their health data is protected under laws like the health information portability and accountability act (HIPAA). However, HIPAA only covers health data collected by specific healthcare entities, including most healthcare providers. Health data collected by noncovered entities, including certain apps and websites, are not afforded the same protections. This act works to close the gap between consumer knowledge and industry practice by providing stronger privacy protections for all Washington consumers’ health data.
The Washington law applies to “regulated entities” — entities that
Conduct business in Washington, or produce or provide products or services targeted to consumers in Washington; and
Alone or jointly with others, determine the purposes and means of collecting, processing, sharing, or selling consumer health data.
The law’s application is not limited to providers or plans. Further, although the law covers the typical categories of health information, such as health condition or diagnosis, it also addresses more specific categories of health information, including:
Gender-affirming care information.
Reproductive or sexual health information.
Biometric data.
Genetic data.
Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services and supplies.
Violations are enforceable by the prosecution by the state’s Attorney General’s Office or by private actions brought by affected consumers.
Nevada
In 2023, Nevada enacted protections like those under Washington’s My Health, My Data Act. However, the Nevada law does not include a private right of action.
Virginia
Virginia recently amended its Consumer Protection Act (VCPA), effective July 1, 2025, focusing on safeguarding reproductive and sexual health information. The VCPA regulates “suppliers,” defined as a “seller, lessor, licensor, or professional that advertises, solicits, or engages in consumer transactions, or a manufacturer, distributor, or licensor that advertises and sells, leases, or licenses goods or services to be resold, leased, or sublicensed by other persons in consumer transactions.” Based on this definition, the compliance obligations, along with litigation and enforcement risks, extend beyond HIPAA in several respects. The amendments to the VCPA aim to bolster consumer protection, particularly in managing reproductive and sexual health information.
Key points for businesses:
Prohibition on Collection and Disclosure Without Explicit Consent: The law strictly prohibits the collection, disclosure, sale, or dissemination of consumers’ reproductive or sexual health information unless explicit consent is obtained. “Consent” means “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.”
Broad Definition: The definition of “reproductive or sexual health information” is broad and includes data related to past, present, or future reproductive or sexual health, such as efforts to obtain reproductive health services, use of contraceptives, health status (e.g., pregnancy and menstruation), and treatments or surgeries.
Exclusions: The law excludes HIPAA-protected data and records related to substance use disorder treatment.
Private Right of Action and Enforcement: Individuals may bring an action for violations and can potentially recover the greater of actual damages or $500. The state attorney general may also investigate violations and seek civil penalties of up to $2,500 for willful violations.
New York
Earlier this year, New York passed Senate Bill 929, the “New York Health Information Privacy Act” or “New York HIPA.” (If it becomes law, referring to these laws will become a little more confusing: HIPAA, HIPPA, HIPA, and so on.) HIPA generally follows the approaches taken by the state laws discussed above. It does not provide a private right of action but grants the state attorney general authority to seek civil penalties of up to $15,000 per violation or 20% of revenue obtained from New York consumers within the past fiscal year, whichever is greater, as well as other forms of relief.
Comprehensive State Privacy Laws
Many states have adopted comprehensive privacy laws that protect personal information in general, including health-related data. While the definitions of covered entities may vary, they should be considered when assessing compliance.
The California Privacy Rights Act (CPRA), for example, has a broad definition of sensitive data that includes mental or physical health conditions and sexual orientation. Similar to Virginia, the CPRA aims to protect consumers’ personal information, but it expands the scope to include sex life, which Virginia’s VCPA does not. The Colorado Privacy Act also includes “sex life” in its definition of sensitive data. These a just a few differences in how states define and protect categories of sensitive data.
Even before the Trump Administration began to reimagine the federal government’s role in regulatory and enforcement activities, states had already identified gaps in HIPAA’s protections for health information and begun to address them. Consequently, a broader range of entities must now revisit their handling of health information, especially if they have been outside of HIPAA’s reach.
Montana Amends Law to Cover Collection and Use of Neural Data
Montana recently revised its Genetic Information Privacy Act to address neural data. The law went into effect in 2023 and applies to both entities that offer genetic testing services as well as entities that use genetic data.
Under the current law, covered entities must provide notice and also have choice obligations. This includes getting consent about collection, use and sharing of genetic data. Covered entities must include specific content in the consent request. They also need to give separate notice in several circumstances. This includes if they want to share genetic information with non-vendor third parties or use it for marketing purposes. There are also data security obligations under the law, as well as access obligations.
The Montana governor signed SB 163 on May 1 to amend the Genetic Information Privacy Act. As a result, beginning October 1, 2025, there will be several changes to the law. They include:
Neural data will be covered by the law: As revised the law will cover “neurotechnology data.” This is information capable of “recording, interpreting, or altering the response of an individual’s central or peripheral nervous system” to its external environment. (This definition is slightly different than that which California and Colorado added to their comprehensive privacy laws.)
De-identified neural data out of scope: As modified, the law will also except from coverage deidentified neural data that is used for research purposes. To be deidentified, among other things, the information cannot be reasonably linked to the individual, and measures must be taken to ensure that the data cannot be reassociated with an individual.
Exceptions added to right of access: Also as modified, the law will provide for exceptions to the obligation to give individuals access to covered data, including if express consent was obtained from an individual participant in a clinical trial which was obtained following the provisions specified in the law (these include content and font size obligations, among other things).
Putting it Into Practice: This modification to Montana’s Genetic Information Privacy Act reflects regulators’ concerns with uses of neural data, which companies might use when offering wearable technology or engaging in advertising that measures emotional engagement. This modification is a reminder for those who engage in these activities to review their notice process and consider whether consent might be needed under this or similar laws.
Listen to this post
The SEC’s Latest Agenda
In December of last year we posted on Hunton’s Retail Law Resource Blog about the changing of the guard at the Securities and Exchange Commission (“SEC”) with the new administration. Paul Atkins was nominated by President Donald J. Trump on January 20, 2025, confirmed by the U.S. Senate on April 9, 2025, and sworn in as the 34th Chairman of the SEC on April 21, 2025.
The Practicing Law Institute annually presents a conference titled “SEC Speaks” in cooperation with the SEC, and Chairman Atkins spoke on his agenda at this year’s program on May 19, 2025. Chairman Atkins began by stating his intent to discuss innovation and how the SEC should “embrace and champion it” rather than fear it. He provided a recent history lesson of progress that has come from a proactive SEC. His timeline started with the computerization of securities in the 1970s, highlighted other innovation such as the earliest exchange-traded fund launching in the 1990s, and led us to his first agenda point titled “Crypto Innovation” in his written remarks. Chairman Atkins announced that Commission staff across policy divisions has been directed to begin drafting crypto proposals and to “maintain transparent interactions with the public” to help provide useful insights. We should expect the SEC to provide clear rules related to crypto under this administration, but an anticipated date for such was not provided.
Continuing with his theme of innovation, the second point of Chairman Atkins’s agenda was to integrate the functions of the SEC’s Strategic Hub for Innovation and Financial Technology (“FinHub”) into other parts of the agency. Chairman Atkins explained that FinHub was created during a critical time of emerging technologies but believes it is too small to be efficient for more than its current focus. Congress has to approve the reprogramming, but integrating the priorities FinHub was founded under into the culture of the SEC will be key for Chairman Atkins.
The third point of Chairman Atkins’s agenda was on investing in private funds. Specifically, to reconsider the practice and 23-year position of the SEC that investments by closed-end funds of 15% or more of their assets in private funds should impose minimum initial investment requirements and restrict sales that satisfy the accredited investor standard. Chairman Atkins noted that important disclosure issues need to be considered and resolved, but we should expect to see more on this. Finally, Chairman Atkins announced that he had instructed the SEC staff to undertake a comprehensive review of the Consolidated Audit Trail (“CAT”). He requested the costs of the system be examined, as well as reporting requirements and the scope of what is collected by the CAT.
From beginning to end, the new Chairman highlighted promoting innovation. We will continue to watch for the written and spoken guidance of the SEC to see how they “embrace and champion” these above agenda points.
CMS to Immediately Begin Auditing Medicare Advantage Plans in Significant Expansion of Enforcement Efforts
On May 21, 2025, the Centers for Medicare and Medicaid Services (“CMS”) announced a significant expansion of its auditing efforts with respect to Medicare Advantage (“MA”) plans.
For newly initiated audits of MA plans, CMS will audit all eligible MA contracts for each payment year. Additionally, for audits already initiated, CMS will expedite the completion of audits for payment years (“PYs”) 2018 through 2024. While the Trump Administration has expressed frustration at the fact that CMS is currently several years behind in completing these audits, CMS has vowed to shore-up its backlog and complete all audits for PY 2018 to PY 2024 by early 2026.
CMS verifies the accuracy of risk-adjusted payments to MA plans by conducting Risk Adjustment Data Validation (“RADV”) audits, which seek to ensure that any diagnoses submitted by health plans are supported by the patient’s medical records. If such diagnoses are unsupported, CMS may seek recoupment of funds paid to those MA health plans based on the unsupported risk adjusted diagnoses.
CMS has outlined a two-pronged approach in accelerating RADV audits. First, it will use enhanced technology to efficiently review medical records and flag unsupported diagnoses—allowing CMS to drastically increase the number of audits conducted each year. Currently, CMS audits between 50 and 60 health plans per year—CMS expects that such enhanced technology will enable them to enable all 550 active MA health plans each year. Additionally, CMS will increase its auditing sample of each MA health plan from 35 records per health plan per year to 200. Second, CMS will substantially increase the number of medical coders employed to manually verify flagged diagnoses—increasing audit efficiency. CMS notes that it plans to increase its team of medical coders from 40 to approximately 2,000 by September 1, 2025.
CMS’s continued and now-heightened and aggressive focus on RADV audits comes as part of the Trump Administration’s intensified efforts to combat waste, fraud and abuse in health care. It is important to note that while CMS may recover overpayments made to MA health plans based on unsupported diagnosis codes, the MA health plans may then seek to recover those amounts from downstream providers. Depending on their contract with the MA health plan, such downstream providers may be scrutinized for causing the MA health plan to submit an unsupported diagnosis code to CMS. Such aggressive enforcement measures from the Trump Administration signals to the industry that it should ensure that the auditing and monitoring component of its compliance program is proactive and not just reactive.
CMS’s most recent final rule on RADV audits, which updated RADV audit methodology with the aim of improving MA program integrity and payment accuracy, became effective on April 3, 2023.
It’s Time Again for Employer’s to File Their EEO-1 Reports
This is a reminder that the 2024 EEO-1 Component 1 data collection opened on Tuesday, May 20, 2025. All employers who have at least 100 employees and employers who are federal government contractors who have at least 50 employees are required to complete and submit an EEO-1 Report (a government form that requests information about employees’ job categories, ethnicity, race, and gender) to the Equal Employment Opportunity Commission (EEOC) and the U.S. Department of Labor every year. The deadline to file the 2024 EEO-1 Component 1 report is Tuesday, June 24, 2025.
Per the EEOC, “The collection period will not extend beyond the Tuesday, June 24, 2025 “Published Due Date” deadline. Additionally, beginning with the 2024 EEO-1 Component 1 data collection, all communications sent to filers will be electronic. No notifications about the 2024 collection will be sent to filers via postal mail. To meet this deadline, the EEOC strongly encourages eligible filers to begin the filing process as soon as possible.”
Additionally, the EEOC has stated that it will not provide a “failure to file” period as offered in previous years, and employers should not expect an extension. For more information please visit here.