The Supreme Court has turned down a case concerning the immunity of the Federally Qualified Health Center (FQHC) from liability associated with the exposure of personally identifiable information (PII) of patients due to a data breach. Sandhills Medical Foundation is an FQHC that provides healthcare services to patients in Chesterfield, Lancaster, Kershaw, and Sumter Counties in South Carolina. Netgain Technologies, Sandhills’ vendor, offers electronic storage for its scheduling, payment, and reporting systems. On January 8, 2021, the vendor informed Sandhills about a November 15, 2020 ransomware attack. The ransomware group accessed its systems using compromised credentials and stole sensitive information. The threat group deployed ransomware on December 3, 2020.
Sandhills confirmed that the breach affected the data of 39,602 individuals. Protected Health Information (PHI) was not compromised, but the attackers may have determined diagnoses and medical conditions. The data stolen during the attack included names, birth dates, residential addresses, email addresses, Social Security numbers, and driver’s license numbers. One of the impacted persons, Joann Ford, filed a lawsuit in response to the data breach on behalf of herself and other similarly situated persons. Ford got healthcare services at Sandhills in 2018 but stopped going to Sandhills prior to the November ransomware attack. Her PII was included in the data stolen during the attack. The attacker used her PII later to commit fraud and get a loan.
Sandhills had the lawsuit taken to federal court to determine if it is entitled to federal immunity shielding it from legal responsibility. Ford furnished her information to Sandhills as a condition for getting her treatment. Sandhills exhibited that her PII was stolen because of performing medical, dental, surgical, or similar functions. As per 42 U.S.C. § 233(a), the Federal Tort Claims Act (FTCA) was applied to the case, and so the District Court confirmed that Sandhills was immune and the United States became the substitute defendant in place of Sandhills.
The United States submitted a motion to dismiss the case for insufficient subject matter jurisdiction saying the appellant did not use up all her administrative solutions with the Department of Health and Human Services prior to taking legal action, as mandated by the FTCA. Although the appellant conceded, she held on to the argument that Sandhills wasn’t immune under § 233(a) because her PII was given to the vendor, not concerning a medical, dental, surgical, or similar function.
The District Court approved the motion to dismiss, but Ford appealed the decision. The decision of the United States Court of Appeals for the Fourth Circuit is that § 233(a) is not applicable to the claims, since Sandhills wasn’t doing a similar function at the time the hacker stole the PII of the appellant. The District Court’s judgment was released in March 2024, remanding the case for further proceedings.
The Appellate court stated that if [§ 233(a)] is used on any action taken by a patient to be given healthcare, it would keep Sandhills from any claims in spite of their lacking connection with their treatment. In a scenario where the Appellant supplied her PII and billing details to Sandhills but did not come for her appointment, the Appellant would have sustained the same damage she claims here from the data breach without getting treatment. This week, the Supreme Court posted the legal action as Certiorari Denied, turning down the case.