Over the last year, multiple decisions from U.S. District courts have held that Federally Qualified Health Centers (FQHCs) facing data breach litigation are entitled to substitution of the federal government under the Federal Tort Claims Act (FTCA). In particular, the U.S. District Court for the Southern District of California and the U.S. District Court for the District of South Carolina each granted motions to substitute filed by FQHCs whose patients’ data was compromised due to a breach of the FQHCs IT/cloud computing service provider. In each of the cases, such motions were opposed by both the Plaintiffs and the U.S. government, but the presiding judges ruled that substitution was proper since maintaining the security of patient data was a “medical…or related function” under 42 U.S.C. § 233(a)).
The implications of the district courts’ decisions are certainly impactful for FQHCs facing data breach litigation, as it presents a complete defense to any class action lawsuits arising out of a security incident. The decisions could also precipitate changes to the language within deeming notices issued to FQHCs by HHS, given that such notices do not specifically reference any governmental indemnity for data breach claims.
Under the FTCA, an FQHC is entitled to governmental immunity with respect to “actions arising out of the performance of medical or related functions…” (C.K. v. United States, No. 19-cv-02492-TWR-RBB, 2020 WL 6684921, at *3 (S.D. Cal. Nov. 12, 2020) (quoting Hui v. Castaneda, 559 U.S. 799, 801 (2010); 42 U.S.C. § 233(a)).
Traditionally, this language had been used by FQHCs only with respect to claims for malpractice, however, the scope of this immunity has expanded over the years, due in part to the broadly drafted language within 42 U.S.C. § 233(a), which includes “any claim, however styled” so long as it “seeks damages ‘resulting from the performance of medical, surgical, dental, or related functions.” In this regard, prior court decisions held that immunity under the FTCA is proper “where ‘job functions…are “interwoven” with providing medical care.’” Goss v. United States, 353 F. Supp. 3d 878, 886 (D. Ariz. 2018) (collecting cases).
The Subject Lawsuits
In late 2020, Netgain Technology (“Netgain”), a cloud hosting provider that serves companies in the healthcare and accounting sectors, fell victim to a ransomware attack, impacting thousands of records, some of which contained personal health information of its healthcare clients’ patients. Soon thereafter, Netgain began notifying its clients, many of whom are FQHCs, that the ransomware attack had impacted patient data and those clients began notifying their patients. Following these notifications, multiple class action lawsuits were initiated in state and federal courts located in South Carolina, Minnesota, and California, seeking damages from Netgain and/or their FQHC clients.
Three of these class action suits were filed in state court and the respective FQHCs named in those suits all promptly removed the actions to federal court, based on federal question jurisdiction insofar as they all contended the federal government was the proper defendant under the FTCA. These three removed actions included two from the U.S. District of South Carolina (Mixon v. CareSouth Carolina, 4:22-cv-00269-RBH; and Ford v. Sandhills, 4:21-cv-02307-RBH (collectively, the “D.S.C. Actions”) and one from the Southern District of California (Doe v. Neighborhood Healthcare, et al., 3:21-cv-01587-BEN-DDL (the “California Action”).
The District Courts’ Decisions
Upon removal, the District Courts were met with two primary inquiries: (i) whether removal was proper under the FTCA; and (ii) whether the FQHC defendants were entitled to substitution of the federal government in their place. In both the D.S.C. Actions and the California Action, the presiding judges answered both these questions in the affirmative. Relying on prior case precedent interpreting Section 233(a), each of these decisions found that substitution of the federal government in place of the FQHC was warranted, despite opposition from both Plaintiffs and the U.S.A.G.’s office. In this regard, each of these courts found that the general maintenance of patient information, including but not limited to, the proper storage and security thereof, is a function related to the medical care received by Plaintiffs.
Further, the D.S.C. Actions relied on language from 42 U.S.C. 254b(k)(3)(C) that eligibility for deemed status and receipt of federal funds is premised on the FQHC showing that it ““will have an ongoing quality improvement system that includes clinical services and management, and that maintains the confidentiality of patient records.” 42 U.S.C. § 254b(k)(3)(C) (emphasis added); see 42 U.S.C. § 233(g)(1), (4) (providing that to be a deemed PHS employee, a health center must be a “public or non-profit entity receiving Federal funds under section 254b”).
Also supporting the decision in the D.S.C. Actions was language from the applications that FQHCs submit to receive deeming status, which requires “attest[ation] that [the] health center has implemented systems and procedures for protecting the confidentiality of patient information and safeguarding this information against loss, destruction, or unauthorized use, consistent with federal and state requirements.” Application for Health Center Program Award Recipients for Deemed Public Health Service Employment with Liability Protections Under the Federal Tort Claims Act. While the Court relied on the 2021 application in its decision, it is notable that the 2023 application still contains this language, further supporting the notion that FQHC status is dependent, at least in part, on adequate security measures to protect patient information.
Additional Case Outcomes
While the above decisions in the D.S.C. Actions and California Action represent reliable case law to seek substitution of the U.S. Government, additional cases arising out of the Netgain breach demonstrate the effectiveness of simply threatening to seek substitution. In particular, there were multiple lawsuits filed against Netgain and an FQHC defendant, where the FQHC defendant was voluntarily dismissed from the lawsuit. See Clark et al. v. Netgain Technology, LLC et al., 3:21-cv-01432-LL-MSB (S.D. Cal.); Lee et al. v. Netgain Technology, LLC et al., 3:21-cv-01144-LL-MSB (S.D. Cal.); and Smithburg et al. v. Apple Valley Medical Clinic, Ltd. et al., 0:21-cv-01622-SRN-LIB (D.MN.) (collectively, the “Dismissed Actions”).
Defense counsel for the FQHCs in each of the Dismissed Actions further confirmed that the voluntary dismissals were due to the mere threat of the FQHC seeking substitution of the federal government. Plaintiffs in the Dismissed Actions then proceeded to pursue recourse against Netgain only, as they wanted to avoid the delay and added cost of proceedings that would be precipitated by a motion to substitute.
The district courts’ decisions and voluntary dismissals discussed above demonstrate that FQHCs have a potentially potent defense available to them when faced with data breach litigation. Likewise, the decisions appear to upend traditional notions of the types of claims (namely, malpractice) for which FQHCs could seek substitution of the federal government.
Further, the case precedent from the D.S.C. Actions and California Action notwithstanding, even the mere threat of substitution can be a useful tool for an FQHC to avoid the costs and expenses of data breach litigation. FQHCs should still expect vehement opposition from both Plaintiffs and the U.S.A.G.’s office when filing motions to substitute, but the above cases demonstrate that substitution can still be effectuated over and above such objections.
Octillo monitors developments regarding data privacy and security law generally, including biometric privacy requirements. Our team of experienced attorneys, who are also devoted technologists, are especially equipped with the skills and experience necessary to help businesses evaluate the legal risks posed by modern technologies. Octillo can help businesses develop comprehensive and scalable data privacy compliance programs, as well as defend businesses currently facing data privacy litigation.
*Attorney advertising: prior results do not guarantee a similar outcome.