State AG Updates: California, Rhode Island, New York, Connecticut, Illinois and Minnesota

In this edition of Faegre Drinker’s State Attorneys General Update, we discuss:

• The California AG’s $2.1 million settlement with an insurer for allegedly falsely advertising itself as a health care sharing ministry
• The Rhode Island AG’s suit against the City of Woonsocket and its wastewater treatment vendors for alleged violations of the state’s Clean Water Act
• The NY AG’s:
  
  • Suit against cryptocurrency platform KuCoin for alleged securities violations
  • $860,000 settlement with a medical transportation company for alleged Medicaid fraud
  • $200,000 settlement with a law firm relating to a data breach
• The Connecticut AG’s:
  
  • Suit against a highway service plaza operator for allegedly unpaid wages
  • Suit against a solar panel installer for alleged unfair trade practices 
• The Illinois AG’s suit seeking to enforce a subpoena and bar the subpoenaed business from operating in the state pending its compliance
• The Minnesota AG’s investigation of car manufacturers for a possible lack of adequate antitheft technology

The California AG Settles With Insurer to Resolve Allegations the Insurer Falsely Presented Itself as a Health Care Sharing Ministry

The California AG entered a $2.1 million settlement with Share Health Alliance, Inc. (SHA) and its parent, Alliance for Shared Health (ASH) to resolve allegations the companies violated various insurance regulations and engaged in deceptive advertising relating to ASH’s health insurance products. ASH is nonprofit and SHA is its for-profit administrative vendor. According to the AG, ASH falsely advertised itself as a health care sharing ministry (HCSM). HCSMs are entities that were created to allow individuals with ethical or religious objections to provisions of the Affordable Care Act (ACA; colloquially known as Obamacare) to pool funds and share the costs of health care; they are exempt from certain coverage requirements of the ACA. According to the AG, ASH advertised itself as an HCSM and advertised its plans as being equivalent to standard insurance (i.e., insurance subject to the requirements of the ACA), but did not meet the statutory requirements to be an HCSM and did not cover pre-existing conditions or reproductive care as required by the ACA. Under the terms of the settlement, the companies will pay $1.76 million in restitution and $357,000 in civil penalties. Further, the companies will cease all operations in California and their executives are barred from holding leadership positions or owning any organization that purports to be an HCSM in California. Copies of the AG’s press release and the stipulated judgment are available here. 

The Rhode Island AG Sues a City and Its Wastewater Treatment Vendors for Alleged Violations of the State’s Clean Water Act

The Rhode Island AG filed a suit against the City of Woonsocket, as well as Jacobs Engineering Group, Inc. (Jacobs), which operates Woonsocket’s wastewater treatment facility, and Synagro Woonsocket, LLC (Synagro), which operates the incinerator portion of that facility. The AG alleges that the parties violated the state’s Clean Water Act, Freshwater Wetlands Act, Environmental Rights Act, and created a common law public nuisance by discharging partially treated sewage into the Blackstone River in March and June 2022 and March 2023. In bringing the action, the AG noted alleged institutional problems at the facility, including communications issues between Jacobs and Synagro and a failure to maintain certain equipment. Copies of the AG’s press release and complaint are available here.

The New York AG Sues Cryptocurrency Platform KuCoin for Alleged Securities Violations

Continuing her recent streak of actions against cryptocurrency companies, the New York AG sued cryptocurrency exchange KuCoin for alleged securities violations. The company allows investors to buy and sell virtual currencies, such as ETH, LUNA and TerraUSD. It also sold its own lending product KuCoin Earn. The AG alleges that each of these virtual assets are securities and, therefore, KuCoin was required to register with the state before operating in New York and failed to do so. Further, KuCoin allegedly advertised itself as an exchange, despite not being registered with SEC or being appropriately designated with the CFTC. The AG’s suit seeks a permanent injunction prohibiting KuCoin from operating in New York, restitution, disgorgement and $2,000 in litigation costs. Copies of the AG’s press release and Memorandum of Law in Support of the Verified Petition are available here. 

The New York AG Enters $860,000 Settlement With USA Medical Transport to Resolve Allegations of Medicaid Fraud

The New York AG secured more than $860,000 after settling with USA Medical Transport, which provides transportation to and from medical appointments for Medicaid recipients, and its owner for allegedly defrauding Medicaid and violating the New York False Claims Act. According to the AG, the company billed Medicaid approximately $400,000 for transportation services that either did not occur as described, lacked required documentation, or never took place at all. Copies of the AG’s press release and the settlement agreement are available here.

The New York AG Enters $200,000 Settlement and Imposes Comprehensive Security Program on Law Firm Relating to Alleged Health Data Security Breach

The New York AG entered a $200,000 settlement relating to an alleged data breach that compromised electronic protected health information (ePHI) and other private information maintained by law firm Heidell, Pittonik, Murphy & Bach LLP (HPMB) in its capacity as litigation counsel to hospitals and hospital networks. To the extent that HPMB is classified as a “Business Associate” under HIPAA, it is subject to HIPAA’s Privacy and Security Rule, which imposes data security compliance standards on entities that transmit, maintain or access ePHI. (State attorneys general are empowered to enforce the Rule through the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act.) In addition to alleging violations of HIPAA, the AG alleged violations of New York laws relating to data security and notification of individuals affected by data breaches. 

In late 2021, an attacker allegedly exploited known vulnerabilities in a Microsoft Exchange server to gain access to HPMB’s systems. Significantly, a patch for the vulnerability that led to the alleged breach had been available for several months. After becoming aware of the attack, HPMB hired a forensic cybersecurity firm and paid a $100,000 ransom for the return and promised deletion of tens of thousands of exfiltrated files. HPMB began notifying affected individuals in May 2022. The AG’s investigation alleged 17 violations of HIPAA’s Privacy and Security Rule and a failure to provide timely notice of the breach to affected individuals in violation of New York GBL § 899-bb(2). 

The agreement requires HPMB to implement a comprehensive information security program. HPMB will be required to appoint a chief information security officer, report security risks to firm leadership, conduct a third-party assessment, and comply with certain specific security requirements, such as use of encryption, patch management and regular penetration testing. In addition to the $200,000 payment to the State of New York, HPMB will be required to offer two years of credit monitoring and identity-theft protection services to affected consumers.

Copies of the AG’s press release and Assurance of Discontinuance are available here.

The Connecticut AG Seeks $6.1 Million From Service Plaza Operator in Suit Relating to Unpaid Wages

The Connecticut AG filed a lawsuit seeking to recover $2.7 million in allegedly unpaid wages to fast-food workers at the state’s highway service plazas, $2.7 million in damages, and $722,000 in civil penalties from service plaza operator Project Service, LLC. Project Service has contracted with Connecticut since 2009 to provide food services at Connecticut’s 23 state-owned service plazas. According to the AG, employees of such service plazas are covered by state statutes providing a minimum wage set by the Connecticut Department of Labor plus a 30% surcharge for benefits, such as health care. The AG alleges that employees of various fast-food companies, which subcontracted with Project Service, were paid the minimum wage but not the required 30% surcharge, and that Project Service is liable for that 30% surcharge. Copies of the AG’s press release and complaint are available here.

The Connecticut AG Sues Vision Solar for Alleged Unfair and Predatory Sales and Business Practices

The Connecticut AG sued home improvement contractor Vision Solar for alleged violations of the state’s Unfair Trade Practices Act, Home Improvement Act and occupational licensing statutes. The AG alleged that the company violated the statutes by failing to disclose certain information and making misrepresentations during sales interactions and by using unlawful high-pressure sales tactics. The AG’s complaint emphasized the high cost of solar panels and offered several examples of allegedly unlawful practices including: (a) providing contracts for review on the salesperson’s cell phone, tablet or laptop, “where the consumer could not easily read or evaluate the documents in advance,” (b) making cold calls to arrange sales meetings to pitch solar contracts, (c) staying in consumers’ homes during sales visits, even after being asked to leave, (d) pressuring consumers to agree to a solar installation the same day they were initially contacted, (e) pressuring consumers not to have contracts reviewed by an attorney, (f) making sales pitches to intellectually disabled individuals, (g) suggesting that signing a contract was only for purposes of “preapproval,” (h) not providing copies of executed contracts until days or weeks after execution, and (i) telling consumers they would benefit from tax credits when the company allegedly knew such credits were unavailable to the consumers due to their income level. Further, the AG criticized Vision Solar’s execution on projects and particularly cited its failure to obtain necessary permits, which delayed the start of projects and hookups of completed projects. The AG is seeking injunctive relief, restitution, disgorgement, civil penalties of $5,000 per willful violation of the state’s Unfair Trade Practices Act, and attorney’s fees. Copies of the AG’s press release and complaint are available here. 

Illinois AG Brings Action Against Energy Acquisitions Group, LLC, for Refusal to Cooperate With Investigative Subpoena

The Illinois AG sued Energy Acquisitions Group LLC (EAG) to enforce a previously issued investigative subpoena. The subpoena sought documents and information in connection with the AG’s investigation of alleged deceptive marketing by alternative retail electric suppliers (ARES). It specifically sought materials relating to any role that EAG, in its capacity as a third-party sales representative to various ARES, may have played. The AG alleges that EAG’s CEO refused to comply with the subpoena. Section 6 of the Illinois Consumer Fraud and Deceptive Business Practices Act authorizes penalties for noncompliance with an AG investigation under the Act. The AG is seeking an order enjoining EAG from engaging in trade or commerce in Illinois and revoking its certificate of authority to transact business in Illinois as a foreign corporation until it obeys the subpoena, as well as requiring EAG to pay all costs of investigation and prosecution of the enforcement action. A copy of the complaint is here.

Minnesota AG Announces Investigation of the Adequacy of Car Manufacturers’ Antitheft Technology

The Minnesota AG announced that he sent Kia and Hyundai civil investigative demands requiring the production of documents and sworn responses to various questions as part of an investigation into the antitheft devices included in the car manufacturers’ vehicles. In his press release, the AG claimed the manufacturers did not include industry-standard engine-immobilizer technology in many of their models until recently and suggested that alleged failure led to a significant increase in thefts of those cars, which, in turn, led to those stolen cars being used in furtherance of violent crime. Engine-immobilizer technology prevents an engine from starting unless it receives an electronic code from a “smart” key. The AG is investigating whether the alleged failure to include this technology is a violation of Minnesota’s consumer protection and public nuisance laws. A copy of the AG’s press release is available here.