Federal Court holds nonprofit health center is immune from data breach class action
In a case of first impression, the United States District Court for the Southern District of California held that Neighborhood Healthcare, a nonprofit, federally supported health center, was immune from suit in a putative class action alleging violations of California’s Confidentiality of Medical Information Act (“CMIA”). Plaintiff Jane Doe alleged that Neighborhood failed to adequately safeguard her electronic patient health records in connection with a highly publicized ransomware attack on Neighborhood’s data hosting provider.
Neighborhood’s attorneys at BCLP removed the case to federal court under 42 U.S.C. § 233(l), a provision of the Federally Supported Health Center Assistance Act (“FSHCAA”) by which Congress determined that federal nonprofit grant recipients may apply to be “deemed” an employee of the Public Health Service for purposes of the Federal Tort Claims Act (“FTCA”). The FSHCAA provides that the sole remedy for plaintiffs alleging “damage for personal injury, including death, resulting from the performance of medical, surgical, dental, or related functions,” is a claim against the US under the FTCA. After the United States failed to appear to defend the suit, Neighborhood removed, and on September 30, 2021, filed a motion for substitution, seeking an order directing that the United States be substituted in place of Neighborhood and defend the suit. With Neighborhood’s support, BCLP attorneys advanced the novel theory that maintaining and securing confidential electronic patient health records is an essential part of providing effective health care and is required under federal regulations, and is therefore a “related function” for purposes of the FSHCAA.
On December 20, 2021, the US Attorney for the Southern District of California filed a Statement of Interest on behalf of the United States, vigorously opposing Neighborhood’s motion and arguing that the FSHCAA was intended only to cover traditional malpractice claims, that Neighborhood’s construction of the FSHCAA would substantially expand the scope of covered activities, and that the Court lacked authority to order the US to be substituted into the suit. Neighborhood filed a reply, explaining that the plain language of the FSHCAA encompassed the subject claims and that courts have previously held that administrative activities are “related functions” under the FSHCAA, and presenting unrebutted evidence that maintaining confidential electronic medical records is an essential part of providing effective health care.
On September 8, 2022, the District Court granted Neighborhood’s motion in full, holding that Neighborhood properly removed the case pursuant to 42 U.S.C. § 233(l), that the Court had authority to determine whether plaintiffs’ claims fell within § 233(a), and that plaintiffs’ claims sought damages arising from the performance of functions “related” to the provision of medical care. The Court’s ruling terminates Neighborhood’s participation in the case.
The decision has important implications for nonprofit federally supported health care providers nationwide. Among other things, nonprofit health care providers should carefully consider the impact of the ruling on the decision whether to seek deeming status, the purchase of cyber-insurance, and how best to respond in the event of a breach involving patient health records. For more information regarding the decision and how it might affect you, please contact BCLP Partner, Daniel Rockey.
 42 U.S.C. § 233(a).
This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.