WAR OF ATTRITION: Lead Seller Stuck in TCPA Suit After Settling with Litigator Wins Transfer of Third-Party Suit
Interesting little case for you folks today.
Any time you are in a TCPA class action that involves multiple parties– such as when a lead seller makes calls and then transfers the calls to a buyer who is subsequently sued– the defendants need to work together to avoid a terrible mistake.
The mistake– one party trying to settle out with the Plaintiff alone.
Why is this such a mistake?
Well, first it just funds the plaintiff’s ability to fight the lawsuit against the remaining parties. So it creates a “no lose” situation for the plaintiff and his lawyers.
But that’s just the half of it.
Most of the time the settling defendant isn’t actually out of the case at all– they get sucked back in by the other defendants who pull them down like the proverbial crabs in a pot.
For instance in Katz v. Allied First Bank, 2025 WL 1489176 (N.D. Ill May 24, 20245), Katz originally sued both Allied First Bank– the lead buyer–and Consumer Nsight– the lead seller– for calls allegedly made by CN without consent.
CN thought it would be smart to settle their claims with Katz and leave Allied holding the bag.
So silly.
Although CN ended up dismissed by Katz it was immediately sued by Allied and is now stuck in the case.
Except rather than fight out the claim in the same proceeding CN made another mistake and has asked–and was granted– a transfer of the suit.
In Katz the Court determined CN was not subject to personal jurisdiction in Illinois where the case was brought. So now CN will be sued in either Florida or Arizona, which is a hollow victory. Rather than being present to help defend against the underlying suit Katz brought it is now going to be fighting a residual lawsuit in a court room thousands of miles away.
Not smart in my view.
So what should have happened?
Well CN should have used its willingness to settle to push Katz to a global resolution and should have worked with Allied to get it done. It Allied really wanted to fight it should have negotiated a release from Allied before settling with Katz.
Instead all CN has accomplished is feeding Katz to make sure he can pursue his case against Allied– and by extension Allied’s case against CN.
Just a terrible move IMO.
In any event we will keep an eye on this.
Pretty clear take aways:
Lead purchases continue to be risky so make sure you know and trust your partners!
Do NOT settle a case and expect to walk away if there are other parties involved. Negotiate the deal globally or arrange a release from co-defendants.
Federal Take It Down Act Targeting Revenge-Porn Becomes Law
On May 19, 2025, President Donald Trump signed into law the Take It Down Act (S.146). The federal legislation criminalizes the publication of non-consensual intimate imagery and AI-generated pornography. It comes following approximately forty states already enacting legislation targeting online abuse.
What are the Take It Down Act’s Requirements?
The federal Take It Down Act creates civil and criminal penalties for knowingly publishing or threatening to share non-consensual intimate imagery and computer-generated intimate images that depict real, identifiable individuals. If the victim is an adult, violators face up to two years in prison. If a minor, up to three years.
Social media platforms, online forums, hosting services and other tech companies that facilitate user-generated content are required to remove covered content within forty-eight hours of request and implement reasonable measures to ensure that the unlawful content cannot be posted again.
Consent to create an image will not be a defense.
Exempt from prosecution are good faith disclosures or those made for lawful purposes, such as legal proceedings, reporting unlawful conduct, law enforcement investigations and medical treatment.
What Online Platforms are Covered Under the Take It Down Act?
Covered Platforms include any website, online service, application, or mobile app that that serves the public and either: (i) provides a forum for user-generated content (e.g., videos, images, messages, games, or audio), or (ii) in the ordinary course of business, regularly publishes, curates, hosts or makes available non-consensual intimate visual depictions.
Covered Platforms do not include broadband Internet access providers, email services, or online services or websites with primarily preselected content where the content is not user-generated but curated by the provider – and interactive features are merely incidental or directly related to the pre-selected content.
What are the Legal Obligations for Covered Online Platforms?
The Take It Down Act requires covered platforms to ensure compliance via, without limitation: (i) providing a clear and accessible complaint and removal process; (ii) providing a secure method for secure identity verification; and (iii) removing unlawful content and copies thereof within forty-eight hours of receipt of a verified complaint.
The new law also contained recordkeeping and reporting requirements.
While not expressly required, platforms are well-advised to address content moderation filtration policies. Reasonable efforts are, in fact, required to identify and remove any known identical copies of non-consensual intimate imagery.
Website agreements, as well as reporting and removal processes are amongst the legal regulatory operational compliance areas that warrant consideration and attention.
Who is Empowered to Enforce the TAKE IT DOWN Act?
The Federal Trade Commission has been authorized to enforce the Take It Down Act notice and takedown requirements against technology platforms that fail to comply. Violations are considered deceptive or unfair.
Good faith, prompt compliance efforts may be considered a safe harbor and a mitigating factor for platforms in the context of regulatory enforcement. Internal processes that document good faith compliance efforts, including the documentation of all takedown actions, should be implemented in order to avail oneself of the safe harbor.
Removal and appeals processes must be implemented on or before May 19, 2026.
Takeaway: Covered online platforms including, but not limited to, those that host images, videos or other user-generated content should consult with an FTC and State Attorneys General Defense and Investigations to discuss compliance with the Act’s strict takedown obligations and so in advance of the effective date in order to minimize potential liability exposure.
Texas AG Announces $1.375 Billion Settlement with Google for Privacy Violations
On May 9, 2025, Texas Attorney General Ken Paxton announced a $1.375 billion agreement in principle to settle cases it filed against Google in 2022 alleging that Google unlawfully collected, stored and used certain personal data of Texans without consent, including location information, biometric identifiers and web browsing activity. More specifically, according to the AG’s allegations, Google (1) continued to collect and use precise location data even when users disabled location services, (2) misled users to think that activity would not be tracked when using the “Incognito” mode in Google’s Chrome browser, and (3) captured and used biometric identifiers, such as voiceprints and facial geometry, in violation of the Texas Capture or Use of Biometric Identifier Act through products such as Google Photos and Google Assistance.
A press release from the Texas AG’s Office stated that the settlement delivers “a historic win for Texans’ data privacy and security rights. . . . To date, no state has attained a settlement against Google for similar data-privacy violations greater than $93 million. Even a multistate coalition that included forty states secured just $391 million — almost a billion dollars less than Texas’s recovery.”
A Google spokesperson said in a statement that the agreement “settles a raft of old claims, many of which have already been resolved elsewhere, concerning product policies we have long since changed.” The spokesperson said that Google is pleased to put the claims behind them and will continue to build robust privacy controls into Google services.
NY DOH Publishes Electronic Material Health Care Transaction Reporting Form, Increasing Disclosure Requirements to Include Potentially Sensitive Business Information
On May 15, 2025, the New York State Department of Health (“DOH”) announced the launch of the electronic Material Transaction Reporting Form for health care transactions (“Electronic Form”). To assist reporting entities in preparing their submissions, the DOH has also released a list of all questions included in the Electronic Form.
Collectively, the reporting requirements set forth in the Electronic Form appear significantly more extensive than those imposed by other states, including California’s health care transaction reporting framework. Notably, the Electronic Form includes obligations to disclose potentially sensitive business information, such as investor materials.
Existing Statutory Authority
Proskauer has tracked the evolving reporting obligations in a series of posts, including one published last month that discussed the latest DOH guidance concerning the reporting obligations.
Pursuant to PHL § 4552, a health care entity shall submit to the DOH “written notice, with supporting documentation as described below and further defined in regulation developed” by the DOH. Such written notice “shall include, but not be limited to:”
The names of the parties to the material transaction and their current addresses;
Copies of any definitive agreements governing the terms of the material transaction, including pre- and post-closing conditions;
Identification of all locations where health care services are currently provided by each party and the revenue generated in the state from such locations;
Any plans to reduce or eliminate services and/or participation in specific plan networks;
The closing date of the proposed material transaction; and
A brief description of the nature and purpose of the proposed material transaction.
As of the publication date of this post, the DOH has not promulgated regulations concerning the law. Nevertheless, the Electronic Form outlines a range of documents and information that reporting entities must submit to the state as part of a material transaction report.
Reporting Obligations to Consider
Below are certain categories of information requested in the Electronic Form that may raise particular concerns for investors and sponsors. Some of the requested categories are sensitive in nature, and careful attention should be paid to ensuring that the DOH treats the submitted information as confidential. Other categories of requested information may require significant effort to analyze and prepare a response, particularly for larger enterprises.
Reporting Obligation Contained in Electronic Form
Impact and Considerations
Part 2, Section A.10-Provide the identities of and interrelationships among the Party and all persons known to control or to be controlled by or under common control with the Party, in a chart that clearly presents the relationships.
-Additionally, the organizational chart must identify (1) voting percentage: the percentage of voting securities for each person identified in the organizational chart and (2) other control: if control of any person is maintained other than by the ownership or control of voting securities, then indicate the basis of such control for each relevant party identified in the organizational chart; as to each person, indicate the type of organization (e.g., corporation, trust, partnership) and the State or other jurisdiction of domicile.
The form appears to require broad disclosure of ownership and control rights of each Party. Of note, the form asks for the disclosure of “all persons known to control or to be controlled by or under common control with the Party,” which may require analysis and review in highly complex, sponsor-backed deal structures to disclose affiliates of the Party.
Part 3, Section B-C-Projected annual revenue (in $ millions) of the Surviving Entity over the next three years.
-Provide information on all transaction activity in the past 3 years by each Party to this Material Transaction.
Any “Party” to the “Material Transaction” must report historic “transaction activity.” The Electronic Form does not clarify whether the disclosure obligation concerns all other historic Material Transactions, or if the DOH expects a party to disclose all historic transactions involving health care entities in the state, regardless of size over the prior 3 years. The historic transaction reporting obligation may require careful review and consideration by entities who consistently engage in transactions in the ordinary course of business.
Part 3, Section D, Subparagraphs (c)-(d)-How many transactions has the Surviving Entity from this Material Transaction engaged in within the prior 12 months (from the anticipated close of this Material Transaction) that have increased gross in-state revenues?
-Considering the most recent of these transactions: Submit the Surviving Entity’s standalone gross in-state revenue before the transaction’s close date. Submit the combined gross in-state revenue of the Parties to this transaction as of the transaction’s close date.
Notice: Any series of transactions designed to evade the threshold provisions of this article shall be deemed a Material Transaction and subject to the notice requirements of Article 45-A of the Public Health Law.
In posing this question, it appears that the DOH is requiring parties to submit information as to prior transactions in a 12-month period in order to potentially determine whether the Parties have complied with the reporting obligations.
Part 3, Section EFor all Parties, submit Financial Statements in conformity with U.S. Generally Accepted Accounting Principles (“GAAP”) or other accounting principles prescribed or permitted under law (audited with an independent CPA’s opinion thereof, preferred but not required) of the Parties to this Material Transaction as of the end of the last two fiscal years.
These financial statements shall include the following components: Balance Sheet; Income Statement; Statement of Cash Flows; Notes to Financial Statement (Narrative); and For the Surviving Entity, also submit projected financial statements dated one day after closing.
The Electronic Form requires all Parties to the Material Transaction to submit financial information.
Part 4, Section A, Subparagraph (a)-(c)-Describe the health care services provided by each Party to the Material Transaction at all locations of operation within New York.
-Does any party to this transaction directly or indirectly employ physicians? If so, each party that directly or indirectly employs physicians should fill out the “Physician Locations Spreadsheet” and upload it in question A(d).
The question asks an entity to report all locations in which it operates in New York. For each location, the Electronic Form asks for gross in-state commercial, Medicare, Medicaid, and other revenue. In addition, if any Party to the Material Transaction employs physicians, the entity is to upload an additional worksheet, titled “Physician Location Spreadsheet”. The spreadsheet requires detailed reporting of physician relationships, including whether the physician is employed or otherwise affiliated with the Party, including their NPI, and hours worked at each location.
Part 4, Section BWhich best describes this transaction?
An acquisition resulting in a Surviving Entity-For each acquired entity, in the 12-month period preceding the proposed transaction, what is the average contracted commercial payor rate for each service line identified in Question A (a) (v) (“Services Offered at Location”)? Your response should be expressed in a dollar ($) amount.-For the surviving entity, what is the anticipated overall contracted commercial payor rate by service line in the year immediately following the Material Transaction close date for the Surviving Entity as a result of this transaction?
A merger or other transaction resulting in the formation of a New Entity (“NewCo”)-For each entity involved in the formation of NewCo, in the 12-month period preceding the proposed transaction, what is the average contracted commercial payor rate for each service line identified in Question A (a) (v) (“Services Offered at Location”)? Your response should be expressed in a dollar ($) amount-For the NewCo, what is the anticipated overall contracted commercial payor rate increase in the year immediately following the Material Transaction close date as a result of this transaction? For any commercial rate increases that are expected as a result of the deal, describe in detail (including any differential in rate increases expected by service and/or location, and the degree of the differential).
The question requires the reporting entity to submit confidential and detailed information concerning health plan reimbursements for each “service line.” The Electronic Form does not define what a “service line” is, a term traditionally utilized by hospitals to describe their business segments.
Part 5-Required Documents: Definitive Transaction Document(s) (e.g., Asset Purchase Agreement); Charter and Bylaws; Operating Agreements or Partnership Agreement(s); and Financing Agreements or documents.
-As Applicable Documents: Fairness Opinions, Offering Memoranda, Private Placement Memoranda, Investor Disclosure Statements, and Other Investor Solicitation Materials.
The broad document request covers a host of documents that are treated as highly confidential in the ordinary course of business.
PROFESSIONAL NEGLIGENCE?: Vonage Failed to Honor DNC Requests in a Manner Leading to TCPA Class Action New Lawsuit Claims
So I was reviewing a $90+MM telecommunications services contract for a major brand yesterday.
$90MM folks.
The money in this industry is insane. But so are the stakes.
Fail to set up your system right and face a TCPA class action with damages that may dwarf an 8 figure contract.
Here’s a cautionary tale.
A company called YF FC Operations, LLC, dba YouFit was sued in a TCPA class action down in Florida by Jeniel Petrovich and Mauricio Cardero.
The essence of the allegations, apparently, was that YouFit failed to honor a DNC request received by YouFit via text message.
Not good.
But YouFit didn’t take the issue lying down.
Instead it sued its telecommunications provider– Vonage– for indemnity and professional negligence claiming that it was Vonage’s fault the stop notifications at issue in the underlying TCPA class action.
Per YouFit’s complaint:
On or around July 22, 2023, YouFit engaged Vonage to perform an integration of its systems with YouFit’s CRM provider Hubspot so that YouFit could communicate with its customers and potential customers using a short code (the “Integration”) rather than its toll-free number. The Integration was intended to monitor for the receipt of opt-out text messages from YouFit customers and, upon receipt of an opt-out text message, the customer’s request would be noted in Hubspot and further communication via text would end.
Because of Vonage’s actions, the opt-out messages of Petrovich and Cardero, and potentially thousands of other putative class members, were not recorded in Hubspot as was intended by the Integration. Subsequently, Vonage sent text messages potentially in violation of the TCPA and/or the FTSA.
Now let me just say, I HATE the content of these paragraphs to the extent they essentially concede away critical issues in the TCPA suit.
Why would you admit that “potentially thousands” of individuals received illegal text messages? Literally no reason to do that. Allegations that if anybody received text messages–which should be denied– it was Vonage’s fault would have been sufficient.
But I digress.
The point is that YouFit went straight for the jugular here against Vonage. The Complaint goes on to allege that Vonage shirked its responsibilities to YouFit to defend the suit:
After the Class Action was served on YouFit, YouFit advised Vonage of the Class Action and requested that Vonage assist in the defense and resolution of the Class Action in light of Vonage’s actions. Vonage rejected the request.
Now I am going to guess that Vonage had a contract that disclaimed all liability here, so it will be very interesting to see how this plays out.
Complaint here: Vonage Removal
The bottom line is companies need to be working hand in glove with their telecom platforms to avoid this sort of thing and retaining knowledgeable counsel.
CRITICAL to keep in mind the following when setting up an outreach campaign and to EXPRESSLY set these items out in the MSA or IOs:
Which party is responsible for providing phone numbers to be called? Where will they be sourced from? What level of consent will be required? How will that consent be documented and stored?
Which party is responsible for supplying the DIDs (outpulse phone numbers)? How will they be provisioned? How long will they be kept? Is the use of local touch permitted in the jurisdiction to which calls are made? Who is responsible for assuring that?
Which party is responsible for ingesting, tracking and honoring revocation notifications? How broadly will those revocations be treated? How will multi-channel revocations be handeled?
Is the platform to be treated as an ATDS or regulated technology under the TCPA or state laws? If not, who has the risk associated with that assumption? If so, who has the responsibility to assure compliance with applicable consent rules?
Is AI to be used? If not, there should be a clear representation to that effect. If so, there should be a clear articulation of whose responsibility it is to assure training and accuracy of AI model, disclosure of AI usage, and properly documented consents and AI-specific opt outs.
Is telemarketing at issue here? If so, who has responsibility for TSR recordkeeping requirements?
Is outreach to be recorded or reviewed in real time either by the calling party or by any third-party vendor? If so a massive number of state level privacy laws may be triggered– particularly the anti-wiretapping statutes like the California Invasion of Privacy Act. CRITICAL to spot these issues and assign compliance responsibilities between the parties.
These are just a handful of the issues that need to be thought through in virtually any deal. If you’re not working with experienced counsel that knows how to work through these issues you could be in SERIOUS trouble.
Just ask YouFit.
And trust me, suing for indemnity after facing a potentially business-ending lawsuit is not where you want to be. Set expectations. Work with good partners. And, most importantly, work with good counsel. And you should be able to avoid these issues in the first place.
Recent Rulings Against Trump Administration Funding Freezes
Shortly after taking office, President Trump froze funding already allocated to various parties, citing the Administration’s disapproval of issues including climate change and social equity. Additionally, executive agencies removed content discussing climate change from websites.
Unsurprisingly, these actions have been challenged in court. Parties whose funding was frozen sued on the grounds that the freezes violated statutes including the Administrative Procedure Act (APA) or their constitutional right to free speech. While cases remain pending in courts across the country, initial decisions show a pattern of courts rejecting the initial funding freezes and agencies agreeing to restore website content.
Below, we break down three recent decisions in The Sustainability Institute v. Trump, Woonasquatucket River Watershed Council v. US Department of Agriculture (USDA), and Northeast Organic Farming Association of New York v. USDA.
Background
Shortly after his inauguration, President Trump signed several orders that froze or terminated congressionally appropriated funds under the Inflation Reduction Act (IRA) and the Infrastructure Investment and Jobs Act (IIJA). The orders are Unleashing American Energy, Ending Radical and Wasteful Government DEI Programs and Preferencing, andImplementing the President’s “Department of Government Efficiency” Cost Efficiency Initiative(previously discussed here, here, and here). In addition, agencies ordered their staff to take down climate-related webpages from their sites.
Below, we discuss three cases where courts ruled against agencies who terminated funding or took down websites on the grounds that the actions violated the APA and First Amendment.
The Sustainability Institute v. Trump
The Sustainability Institute v. Trump involves a challenge in South Carolina federal court by nonprofit groups and local governments to a freeze to federal climate funding by agencies including the US Environmental Protection Agency (EPA), USDA, and the US Departments of Energy (DOE) and Transportation (DOT). The funding was appropriated by US Congress and contractually awarded to municipalities and nonprofits before the Trump Administration sought to freeze it.
The challengers alleged:
That the freeze orders violate the APA by terminating funding with no process or notice.
That denying funding violates the separation of powers principle of the US Constitution and the executive’s duty under Article II, Section 2 of the Constitution to “faithfully execute[]” the laws of the United States by failing to distribute funds appropriated by Congress.
That EPA violated their First Amendment right to free speech by engaging in viewpoint discrimination by ordering nonprofits to remove disfavored language from grants and threatening to revoke federal funding for groups that draw attention to climate change or equity issues.
In response, the government argued, without evidence, that termination decisions were supported by reasoning made on an individualized grant by grant basis, rather than because they were funded by the IRA and IIJA, and therefore were justified.
In April, the court ordered the five agencies to produce all documents from January 20 to present, relating to the freeze, pause, and/or termination of any of the grants identified by the plaintiffs in their motion for expedited discovery. EPA and other agencies responded by releasing over 130,000 pages of documents containing internal EPA emails, spreadsheets, and other materials pertaining to the freezes. Even with these productions, the plaintiffs argued there was no evidence that EPA and other agencies made grant-specific determinations to terminate funding.
Following these productions, the government conceded that, at least for this case, it would “not contest[] the merits of a majority of plaintiffs’ APA claims” that grant decisions were not made on an individualized basis as required, but they maintain the admission is “for purposes of this case only.” On May 20, the court entered judgment in favor of the plaintiffs on the APA claims, granted the plaintiffs’ request for a preliminary injunction, and denied staying injunctive relief requiring the funding to be reissued.
Woonasquatucket River Watershed Council v. USDA
In Woonasquatucket River Watershed Council v. USDA, a court reached a similar holding. This case involves a challenge by several nonprofit organizations to the freezing of funding appropriated under the IRA and IIJA. Last month, the court issued a nationwide preliminary injunction, ordering five federal agencies — DOE, US Department of Housing and Urban Development, USDA, US Department of the Interior, and EPA — to “take immediate steps to resume the processing, disbursement, and payment of already-awarded funding appropriated under” the IRA and IIJA, and prohibited those agencies from “freezing, halting, or pausing on a non-individualized basis the processing and payment” of such funding.
When EPA argued that it should be allowed to continue its freeze on nearly 800 IRA grants that had been terminated or had terminations pending, the court ordered that the grants be unfrozen before sending termination notices, and urged EPA to expedite the termination process for the grants it believes it can legally revoke. The case is now on appeal to the US Court of Appeals for the First Circuit.
Northeast Organic Farming Association of New York et al. v. USDA
Northeast Organic Farming Association of New Yorkalso reached a similar outcome. In that case, several nonprofits sued the USDA seeking to enjoin the government from erasing webpages focused on climate change. The plaintiffs’ complaint alleges that USDA violated the APA when it took down government websites containing climate content, including statutorily required climate-related policies, guides, datasets, and other resources, without advance notice or reasoned decision-making.
The USDA originally argued that the environmental groups had failed to show that relief was warranted and that the removals should stand because it was in the public’s interest to have government websites that reflect the current presidential Administration’s priorities. However, USDA recently reversed course and committed to restore climate change-focused webpages that were taken offline. Going forward, USDA stated that it would restore required websites and that it was committed “to complying with any applicable statutory requirements in connection with any future publication or posting decisions regarding the removed content, including, as applicable, the adequate-notice and equitable-access provisions of the Paperwork Reduction Act and the reading room provisions of [the Freedom of Information Act].” The parties are expected to submit a joint status report in early June.
D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
On May 21, 2025, the U.S. District Court for the District of Columbia ruled that two Democrat members of the United States Privacy and Civil Liberties Oversight Board (“PCLOB”) were unlawfully terminated by President Trump.
The plaintiffs, Travis LeBlanc and Edward Felten, argued in their complaint against the PCLOB and others that the termination by the President of their positions on the PCLOB violated federal law and the U.S. Constitution. The court concluded that Congress intended to restrict the President’s power to remove PCLOB members, the restriction as applied to the plaintiffs is constitutional, and the plaintiffs’ required relief is appropriate. Accordingly, the court granted plaintiffs’ motion for summary judgment and denied the defendants’ cross-motion for summary judgment.
In reaching its conclusion, the court reasoned:
In response to the 9/11 Commission Report, Congress created an independent, multimember board of experts and tasked its members with the weighty job of overseeing the government’s counterterrorism actions and policies, and recommending changes to ensure that those actions and policies adequately protect privacy and civil liberties interests. And, as the Court has now concluded, that responsibility is incompatible with at-will removal by the President, because such unfettered authority would make the Board and its members beholden to the very authority it is supposed to oversee on behalf of Congress and the American people. To hold otherwise would be to bless the President’s obvious attempt to exercise power beyond that granted to him by the Constitution and shield the Executive Branch’s counterterrorism actions from independent oversight, public scrutiny, and bipartisan congressional insight regarding those actions. And, when the President contravenes a statutory scheme designed by Congress to ensure that these interests are adequately protected, it is specifically the “province and duty” of the independent Judiciary to “say what the law is.”
Getting Too Personal? Illinois Court Says Family Medical History is Genetic Information
On May 15, 2025, a district court in Illinois denied a motion by defendant Hospital Sisters Health System and Saint Francis (HSHS) to dismiss a class action claim brought against the hospital system under the Illinois Genetic Information Privacy Act (GIPA).
GIPA regulates the use, disclosure, and acquisition of genetic information and has adopted the same definition of genetic information as provided in the federal Health Insurance Portability and Accountability Act (HIPAA):
(i) the individual’s genetic tests; (ii) the genetic tests of family members of the individual; (iii) the manifestation of a disease or disorder in family members of such individual; or (iv) any request for, or receipt of, genetic services, or participation in clinical research which includes generic services, by the individual or any family member of the individual.
GIPA prohibits employers from soliciting or requesting genetic testing or genetic information of a person or their family members as a condition of employment. GIPA also prohibits employers from changing the terms, conditions, or privileges of employment or terminating the employment of any person due to a person or their family member’s genetic testing or information.
In this case, the plaintiff filed their complaint in December 2024, which states that the hospital system requires potential employees to submit a pre-employment medical examination that an HSHS employee conducts. This examination allegedly entails job applicants being required to disclose information concerning their family medical histories. The plaintiff alleges that she was a job applicant with HSHS and that she, too, was required to submit a medical examination that asked questions about her family’s medical history. These questions reportedly included inquiries on family history of heart disease, asthma, or psychological conditions in the plaintiff’s family.
In its motion to dismiss filed in February 2025, HSHS argued that the generic family medical history questions included in its medical examination are routine medical questions that do not constitute genetic information as protected by GIPA. The court was unconvinced, holding that “these questions involved[d] a clear report of the manifestation of a disease or disorder in a family which is clearly specified in GIPA through its adaptation of HIPAA’s definitions.” In addition, to support its holding, the court noted that the federal Genetic Information Nondiscrimination Act (GINA), which is also incorporated into GIPA, defines the term “family medical history” as “information about the manifestation of disease or disorder” in family members.
Though GIPA litigation has not yet risen to the level of litigation regarding Illinois’ Biometric Information Privacy Act (BIPA), several courts in 2024 have noted that GIPA should apply broadly. In Taylor v. Union Pacific Railroad Co., No. 23-CV-16404, 2024 WL 3425751, (N.D. Ill. July 16, 2024), the court held that GIPA plaintiffs have lenient standing requirements, concluding that BIPA’s definition of “aggrieved persons” – which encompasses individuals who sustained no actual injury beyond a violation of their rights under the statute – applies to GIPA, as well. In McKnight v. United Airlines, Inc., No. 23-CV-16118, 2024 WL 3426807, at *1 (N.D. Ill. July 16, 2024), the court found that individuals outside of Illinois may nonetheless initiate GIPA litigation if the underlying activity “occurred primarily substantially in Illinois” and that GIPA has a five-year statute of limitations.
Employers with ties to Illinois should note that GIPA may apply to them. Any questions about a job applicant’s family medical history may be considered genetic information under the act—even if these questions are intended to be routine health inquiries—and could give rise to a GIPA claim. Pre-employment exams should be structured carefully to avoid running afoul of GIPA and potential class action risks.
FTC Order with GoDaddy Finalized Over Lax Data Security
On May 21, 2025, the Federal Trade Commission (FTC) finalized its order with GoDaddy over allegations that GoDaddy “failed to implement standard data security tools and practices to protect customers’ websites and data.” In a Complaint filed against GoDaddy in January 2025, the FTC alleged that the company had “failed to implement reasonable and appropriate security measures to protect and monitor its website-hosting environments for security threats, and misled customers about the extent of its data security protections on its website hosting services.”
The allegations against GoDaddy include not implementing multi-factor authentication, monitoring for security threats, and securing connections to consumer data. As a result, GoDaddy suffered several data breaches, which “allowed bad actors to gain unauthorized access to customers’ websites and data.” In addition, the FTC alleged that GoDaddy “deceived” users about its data security practices and compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.
Pursuant to the order, GoDaddy is:
Prohibited from making misrepresentations about its security and the extent to which it complies with any privacy or security program sponsored by a government, self-regulatory, or standard-setting organization;
Required to establish and implement a comprehensive information-security program that protects the security, confidentiality, and integrity of its website-hosting services; and
Required to hire an independent third-party assessor to conduct reviews of its information-security program.
The FTC voted unanimously, 3-0, to finalize the order. The order emphasizes the FTC’s continued focus on data security and companies’ representations of data security measures to consumers. Therefore, companies may wish to reassess and update data security practices to confirm that they are commercially reasonable and consistent with their assertions to the public.
Data Breach Lawsuits Surge Against Chord Specialty Dental Partners
Pennsylvania-based Chord Specialty Dental Partners is under fire after a September 2024 data breach compromised the personal information of over 173,000 individuals. At least seven proposed class action lawsuits have been filed in federal courts in Tennessee and Pennsylvania, alleging the company failed to secure and protect patient data properly.
The lawsuits claim Chord Dental violated its obligations under state and federal laws, including the Federal Trade Commission (FTC) Act and the Health Insurance Portability and Accountability Act (HIPAA). Plaintiffs argue that the company did not implement reasonable cybersecurity measures or provide timely and sufficient notice of the breach.
Exposed data included names, addresses, Social Security numbers, driver’s license numbers, bank and payment card information, dates of birth, and medical and insurance records.
The plaintiffs claim that they have suffered harm, including out-of-pocket costs, time spent mitigating the damage, emotional distress, and increased risk of identity theft. One plaintiff also seeks to represent a specific subclass of affected Pennsylvania residents.
The flurry of suits alludes to various legal claims, from negligence and breach of contract to unjust enrichment. Plaintiffs are seeking damages, restitution, credit monitoring, and court orders requiring stronger data protections.
As legal proceedings unfold, the case highlights ongoing concerns over cybersecurity practices in the healthcare industry—and the steep costs of failing to protect protected health information.
Senate Advances Stablecoin Bill
On May 20, the U.S. Senate voted 66-32 to move forward with the Guardrails and Enforcement for Neutral Issuers of United States Stablecoins (GENIUS) Act (the “Act”), pushing the stablecoin bill past a major procedural hurdle. The vote sets the stage for full Senate debate and potential passage of the Act as early as next week.
The GENIUS Act aims to establish a regulatory framework to expedite the integration of stablecoins into the broader banking system by setting up requirements for issuance, backing, and supervision of payment stablecoins. The Act also delineates the authority of state and federal regulators and restricts certain firms from engaging in stablecoin issuance.
Several key provisions from the Act include the following:
Federal and state regulatory roles. Stablecoin issuers may be licensed by state regulators or directly by a federal payment stablecoin regulator, with standards coordinated under the Act. Issuers with over $10 billion in market capitalization fall under federal oversight, while issuers with $10 billion or less in market capitalization would have the option of state regulation by the relevant state banking agency (provided the state regulation satisfies certain federal standards).
Definition of payment stablecoins. The Act defines “payment stablecoin” as a digital asset that maintains a fixed value through backing by fiat currency or other secure reserves. While the Act does not explicitly prohibit interest-bearing stablecoins, recent SEC guidance (previously discussed here) indicates that stablecoins offering yield may be treated as securities—making it likely that, to circumvent regulatory complexity, payment stablecoins will primarily be used as a medium of exchange in practice.
Reserve asset requirements. Issuers must maintain one-to-one reserves in high-quality liquid assets, such as U.S. dollars, Treasury bills, or central bank reserves. Issuers must also avoiding rehypothecation (i.e., the use of reserves for purposes other than backing the stablecoin) and complete monthly certifications attesting to the sufficiency of reserves, among other reserve requirements.
Supervisory authority and enforcement. The Act gives federal banking agencies enforcement authority over permitted payment stablecoin issuers that is analogous to the authority in section 8 of the Federal Deposit Insurance Act over insured depository institutions and their holding companies. The Act authorizes the Federal Reserve, OCC, and FDIC to take enforcement action against payment stablecoin issuers, including – in certain circumstances – those issuers that are subject to regulation by a state banking agency.
Putting It Into Practice: The GENIUS Act would, if enacted, establish the first comprehensive federal framework for governing payment stablecoins. While competing stablecoin proposals such as the STABLE Act (previously discussed here) remain pending, the Senate’s passage of the GENIUS Act represents a significant step toward its codification. Stablecoin issuers and fintech companies should evaluate licensing pathways and reserve management models in anticipation the GENIUS Act’s enactment.
Listen to this post
AI Service Provider Faces Class Actions Over Catholic Health Data Breach
AI service provider Serviceaide Inc. faces two proposed class action lawsuits from a data breach tied to Catholic Health System Inc., a nonprofit hospital network in Buffalo, New York. The breach reportedly exposed the personal information of over 480,000 individuals, including patients and employees.
Filed in the U.S. District Court for the Northern District of California, the lawsuits allege that Serviceaide acted negligently and failed to protect sensitive data in its Elasticsearch database that was made publicly accessible allegedly for months before being disclosed.
Serviceaide, which provides AI-driven chatbots and IT support solutions, was contracted by Catholic Health and entrusted with managing protected health information and employment records. Plaintiffs allege that the company delayed notification to the affected individuals, waiting seven months after the incident to notify affected individuals. The affected data included patient records and personal information.
The lawsuits allege claims of negligence, breach of implied contract, unjust enrichment, invasion of privacy, and violations of California’s Unfair Competition Law.
Both plaintiffs seek to represent a nationwide class of individuals whose data was compromised and are seeking injunctive relief, damages, and attorneys’ fees.
These lawsuits highlight growing legal exposure for tech firms that handle protected health information, especially as more hospitals and healthcare systems outsource services to AI and cloud vendors. The healthcare sector remains one of the most targeted industries for cyber threats, and breaches involving third-party vendors are drawing increasing legal scrutiny.