California Strengthens Privacy Protections for Individuals Visiting Family Planning Centers

Posted by Steve Alder

California Governor Gavin Newsom has added his signature to a bill that strengthens privacy protections for individuals seeking or receiving healthcare services from a family planning center. Prior to the update, California law prohibited a person or business from collecting, using, disclosing, or retaining the personal information of a person located at or within the geolocation of a family planning center, other than as necessary to provide the goods or services requested by that person.

Assembly Bill 45 (AB-45) strengthens privacy protections by prohibiting the collection, use, disclosure, sale, sharing, or retention of personal information of a natural person located at or within the precise geolocation of a family planning center, other than to provide goods and services to an individual, as requested. The requirements do not apply to HIPAA-regulated entities or their business associates, provided that the business associate is contractually obliged to comply with all state and federal laws.

The new law extends the scope of existing law to cover any person, including a natural person, association, proprietorship, corporation, trust, foundation, partnership, or any other organization or group of people acting in concert. The new law uses the same definitions for sale, personal information, and precise geolocation as the California Consumer Protection Act (CCPA), although the definitions apply to all persons. A family planning center is defined as a facility categorized as a family planning center by the North American Industry Classification System adopted by the United States Census Bureau, which includes, but is not limited to, clinics that provide reproductive healthcare services.

The new law makes it unlawful to geofence an entity that provides in-person healthcare services for certain purposes and prohibits the selling or sharing of information with a third party to geofence an entity that provides healthcare services. Healthcare services are defined as “any service provided to a natural person of a medical, surgical, psychiatric, therapeutic, diagnostic, mental health, behavioral health, preventative, rehabilitative, supportive, consultative, referral, or prescribing nature.”

Geofencing is specifically prohibited for the purpose of identifying or tracking an individual seeking or receiving healthcare services, collecting personal information from a person seeking, receiving, or providing healthcare services, sending notifications to a person related to their personal information or healthcare services, and sending advertisements to an individual related to their personal information or healthcare services. There are exceptions to the geofencing restrictions. The owner of the facility is permitted to geofence its own location, geofencing is permitted for research purposes that comply with federal regulations, and geofencing is permitted by labor organizations, although consent must be obtained from individuals if the geofencing results in the collection of names or personal information. Personally identifiable research records of individuals seeking healthcare services are protected and may not be released in response to a subpoena or request made pursuant to other states’ laws that interfere with a person’s rights under the California Reproductive Privacy Act.

There is a limited private cause of action in AB-45, which allows individuals and entities aggrieved by a violation of the provisions of AB-45 to sue for damages, up to a maximum of three times the actual damages, in addition to expenses, costs, and reasonable attorneys’ fees. The California Attorney General will enforce the new law and can impose penalties of up to $25,000 per violation and injunctive relief. Any collected penalties will be used to fund the California Reproductive Justice and Freedom Fund. The new law takes effect on January 1, 2026.

The post California Strengthens Privacy Protections for Individuals Visiting Family Planning Centers appeared first on The HIPAA Journal.

Orthopedics Rhode Island Agrees to Pay $2.9 Million to Settle Class Action Data Breach Lawsuit

Posted by Steve Alder

Orthopedics Rhode Island (Ortho RI) has agreed to pay $2.9 million to settle a class action lawsuit stemming from a 2024 ransomware attack. The ransomware attack was detected by Ortho RI on September 7, 2025, with the forensic investigation confirming unauthorized network access from September 4 to September 8, 2024. Information compromised in the incident included names, addresses, dates of birth, billing and claims information, health insurance claims information, diagnoses, medications, test results, x-ray images, and other treatment information. The data breach was reported to the HHS’ Office for Civil Rights as involving unauthorized access to the protected health information of 377,731 individuals. The affected individuals were notified about the incident via a November 6, 2024, website notice and individual notifications, which were mailed on December 6, 2024.

Seven class action lawsuits were filed against Ortho RI over the data breach, one of which was dismissed. The remaining actions were consolidated in Lavoie-Soria et al. v Orthopedics Rhode Island, Inc. in Kent County Superior Court of the State of Rhode Island, as the lawsuits had overlapping claims and were based on the same facts. The plaintiffs claim to have suffered injuries due to the attack, including lost or diminished value of their private information, lost opportunity costs associated with mitigating the consequences of the data breach, and out-of-pocket losses associated with the prevention, detection, and recovery from identity theft and fraud. The lawsuit asserted claims of negligence and negligence per se due to the failure to implement reasonable and appropriate cybersecurity measures, breach of implied contract, unjust enrichment, and breach of fiduciary duty.

Ortho RI maintains there was no wrongdoing; however, it chose to settle the lawsuit to avoid the costs, risks, and uncertainty of continuing with the litigation. The class representatives believe the settlement is best for all individuals in the settlement class for the same reasons. Under the terms of the settlement, all class members are entitled to claim two years of medical record monitoring services plus one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses related to the data breach up to a maximum of $5,000 per class member. Alternatively, class members may claim an alternative cash payment, which is anticipated to be around $100. Attorneys’ fees, settlement administration costs, service awards for class representatives, and medical record monitoring costs will be deducted from the settlement fund, after which claims will be paid from the remaining funds.

The deadline for objection to and exclusion from the settlement is December 29, 2025. The deadline for submitting a claim is January 13, 2026, and the final approval hearing has been scheduled for January 28, 2026.

The post Orthopedics Rhode Island Agrees to Pay $2.9 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.