The Supreme Court has declined to hear a case on whether a Federally Qualified Health Center is immune from liability over a former patient’s stolen personally identifying information (PII).
The class-action lawsuit stemmed from a patient who received care and provided that information to Sandhills Medical Foundation, an FQHC, in 2018.
The provider’s third-party computer system was hit with a cyberattack in late 2020 in which the plaintiff’s PII, but not her protected health information (PHI), was stolen and used to apply for a loan.
As an FQHC, Sandhills is considered a U.S. Public Health Service employee and as such a protected entity when performing “medical, surgical, dental or related functions.” It argued that the collection of the patient’s PII falls under those functions, which would afford the FQHC immunity and see the U.S. substituted as the defendant in line with a case brought pursuant to the Federal Tort Claims Act.
Though the plaintiff filed her complaint in a South Carolina state court, Sandhills’ argument saw the case removed to federal court, where it successfully argued its immunity from the suit.
The federal judge confirmed Sandhills’ status in June 2022, ruling that the requirement to provide PII in order to receive treatment meant that the theft was a result of Sandhills performing “medical, surgical, dental or related functions.” That ruling substituted the federal government as the defendant and was appealed later that year.
The U.S. Court of Appeals for the Fourth Circuit saw the situation differently. In a March 2024 ruling, it interpreted “related functions” to more closely cover healthcare provision as opposed to “data security, which is more akin to an administrative function.” It also highlighted the time gap between the patient’s receipt of care services and the cybersecurity incident and disagreed with the FQHC’s argument that storage and maintenance of the plaintiff’s PII was “related” to care.
“There is no limiting principle to Sanhills’ position,” the appellate court wrote. “If [the statute granting immunity] applied to any action that a patient must take in order to receive healthcare, it would shield Sandhills from any and all claims despite their lack of relation to their treatment.
“Consider a scenario where, in anticipation of receiving healthcare, Appellant provided her PII and billing information to Sandhills but never showed up for her appointment. In that instance, Appellant would have suffered the same injury she alleges here from the data breach without ever even receiving treatment,” the court wrote.
The appellate court vacated the lower court’s ruling and remanded for further proceedings. Monday, the Supreme Court listed the case, Ford v. Sandhills Medical Foundation, Inc., as “Certiorari Denied,” meaning the top court declined the petition to take up the case.