Federal Court holds nonprofit health center is immune from data breach class action | Bryan Cave Leighton Paisner - JDSupra

Federal Court holds nonprofit health center is immune from data breach class action
LinkedIn
Facebook
Twitter
Send
Embed
In a case of first impression, the United States District Court for the Southern District of California granted the motion of Defendant Neighborhood Healthcare seeking order compelling the United States to defend a putative class action lawsuit alleging that Neighborhood failed to ensure the confidentiality of her electronic health records in connection with a ransomware attack on Neighborhood’s data hosting provider, in violation of the Confidentiality of Medical Information Act.

Neighborhood’s attorneys at BCLP removed the case to federal court under 42 U.S.C. § 233(l), a provision of the Federally Supported Health Center Assistance Act (“FSHCAA”) by which Congress determined that federal nonprofit grant recipients may apply to be “deemed” an employee of the Public Health Service for purposes of the Federal Tort Claims Act (“FTCA”). The FSHCAA provides that the sole remedy for plaintiffs alleging “damage for personal injury, including death, resulting from the performance of medical, surgical, dental, or related functions,” is a claim against the US under the FTCA.[1] After the United States failed to appear to defend the suit, Neighborhood removed to federal court and on September 30, 2021, filed a motion for substitution, seeking an order directing the substitution of the United States in Neighborhood’s place. With Neighborhood’s support, BCLP attorneys advanced the novel theory that the maintenance of confidential electronic patient health records is an essential part of providing effective health care in the modern era and is thus a “related function” for purposes of the FSHCAA; requiring the US to stand in Neighborhood’s place and defend the suit.

On December 20, 2021, the US Attorney for the Southern District of California filed a Statement of Interest on behalf of the United States, vigorously opposing Neighborhood’s motion and arguing that the FSHCAA was intended only to cover traditional malpractice claims, that Neighborhood’s construction of the FSHCAA would substantially expand the scope of covered activities, and that the Court lacked authority to order the US to be substituted into the suit. Neighborhood filed a reply, explaining that the plain language of the FSHCAA encompassed the subject claims, that courts have previously held that administrative activities are “related functions” under the FSHCAA, and presenting unrebutted evidence that the maintenance of confidential electronic medical records is an essential part of providing effective health care.

On September 8, 2022, the District Court granted Neighborhood’s motion in full, holding that plaintiffs’ claims alleging that Neighborhood failed to ensure the confidentiality of patient health records in violation of the CMIA sought damages from the performance of functions “related” to the provision of medical care. Barring an appeal, the Court’s ruling terminates Neighborhood’s participation in the case.

The decision has important implications for nonprofit federally supported health care providers nationwide. Among other things, nonprofit health care providers should carefully consider the impact of the ruling on the decision whether to seek deeming status, the purchase of cyber-insurance, and how best to respond in the event of a breach involving patient health records.