Data breach class action litigation continues to occupy center stage in the ongoing struggle to secure compensation and redress for legitimate victims of actionable cybersecurity shortcomings of data owners. The underlying scenarios in these cases encompass criminal hacking episodes, rogue employees, carelessness and unforeseen material gaps in cybersecurity and patch management. The one-size-fits-all approach to typical class actions, however, frequently places health care providers at the mercy of the plaintiff class action bar, and courts may be reluctant to dismiss or meaningfully curtail these cases in the early phases. Yet hope may be on the horizon. For example, in a new wave of cases, certain federally funded community health centers have used the Federal Tort Claims Act as an avenue for substituting the United States as the proper defendant in data breach cases.

Congress and the Department of Health & Human Services have long been aware that federal-sector and federally affiliated providers do not have limitless resources. More to the point, burdening such providers with the types of litigation exposure and costs of defense faced by private-sector hospitals only serves to deplete the federal treasury (directly or indirectly) and divert federal funds from patient care to the types of external players in the litigation ecosystem (most notably, plaintiff lawyers and law firms). Enacted in 1946 after a B-25 bomber crashed into the Empire State Building, the FTCA serves as a mechanism to protect the balance between providing an adequate remedy to aggrieved parties and ensuring that federal sector and federally affiliated providers are not depleted of the funding needed to provide care.

While these FTCA provisions originated in the area of medical malpractice and other typically non-class action scenarios, they are equally if not more important when a provider faces a class action for a widespread data incident or data breach that is alleged to have caused personal injury to the class representative and putative class members.

Data breaches in the health care sector have proliferated over the years and continue to grow. A recent study by the Identity Theft Resource Center found that in 2021, 1,862 known data breaches occurred resulting in approximately 300 million sensitive records being exposed.¹ Out of the 1,862 recorded data breaches, 330, or 17.7%, were in the medical industry and resulted in the exposure of around 30 million sensitive records.

The FTCA waives sovereign immunity and places the U.S. government on equal footing with private-sector defendants sued for certain types of torts. Additionally, the FTCA imposes liability on the United States for claims against federal entities arising out of “injury or loss of property, or personal injury or death.” 28 U.S.C. § 2679(b)(1). According to the terms of the FTCA, this liability is the exclusive remedy for such claims. The Federally Supported Health Centers Assistance Act expanded the scope of this exclusive remedy to Public Health Service employees sued “for damage for personal injury, including death, resulting from the performance of medical, surgical, dental or related functions.” 42 U.S.C. § 233(a). Accordingly, “Section 233(a) grants absolute immunity to PHS officers and employees for actions arising out of the performance of medical or related functions within the scope of their employment by barring all actions against them for such conduct.” Hui v. Castaneda, 559 U.S. 799, 806 (2010). Key factors to consider in data breaches involving health care providers are (1) whether the health care provider has been “deemed” a PHS employee, and (2) whether the alleged data incident arises out of the performance of medical or related functions within the scope of the health care provider’s operations.

1. PHS employees

Pursuant to 42 U.S.C. § 233(g), certain eligible community health centers can be deemed employees of the PHS. A community health center is defined as “an entity that serves a population that is medically underserved, or a special medically underserved population comprised of migratory and seasonal agricultural workers, the homeless, and residents of public housing.” 42 U.S.C. § 254b. Other health care entities that may qualify as employees of the PHS include migrant health centers, health care for the homeless health centers and public housing primary care health centers.²

2. Performance of medical or related functions

In recent data breach cases involving community health centers, defendants have argued that maintaining the confidentiality of patient information is a medical or related function because the statute governing PHS deeming status requires the health center to have “an ongoing quality improvement system that includes clinical services and management, and that maintains the confidentiality of patient records.” 42 U.S.C. § 254b(k)(3)(C) (emphasis added). The implementing regulations also require health centers to maintain “appropriate safeguards for confidentiality of patient records.” 42 C.F.R. § 51c.110. The application that health centers must fill out as a prerequisite to receiving PHS status requires the center to attest that it “has implemented systems and procedures for protecting the confidentiality of patient information and safeguarding this information against loss, destruction[] or unauthorized use, consistent with federal and state requirements.”³

Accordingly, if a health care entity has been deemed a PHS employee and the data breach arose out of the performance of medical or related functions, then there is statutory and case law support for the health care entity being entitled to immunity under the FTCA. In 2022, three federal courts ordered the substitution of the United States in the place of community health centers based on this analytical approach.⁴ We expect these issues to continue to develop at the district court and appellate court levels in 2023.

Takeaways

1. Discern and update your Federally Qualified Health Center status or other eligible status if available and applicable.
2. Incorporate your FQHC status and related FTCA coverage into overall risk management and purchase of insurance.
3. Identify possibly covered claims or threats of claims and give prompt notice to HHS as required when FTCA coverage is in place.

¹ See 2021 Data Breach Annual Report (ITRC, Jan. 2022), at 6, available at https://www.wsav.com/wpcontent/uploads/sites/75/2022/01/20220124_ITRC-2021-Data-Breach-Report.pdf (last visited Nov. 30, 2022).
² https://bphc.hrsa.gov/initiatives/ftca/faq (last visited Nov. 30, 2022).
³ See Program Assistance Letter 2021-21, Calendar Year 2022 Requirements for Federal Tort Claims Act Coverage for Health Centers and Their Covered Individuals (Feb. 9, 2021), at 16, available at https://bphc.hrsa.gov/sites/default/files/bphc/compliance/pal-2021-01_0.pdf (last visited Nov. 30, 2022).
⁴ Ford v. Sandhills Med. Found., Inc., Case No. 4:21-CV-02307-RBH, U.S. District Court for the District of South Carolina (Nov. 10, 2022), appeal pending, No. 22-2268 (4th Cir.); Mixon v. CareSouth Carolina, Inc., Case No. 4:22-CV-00269-RBH, U.S. District Court for the District of South Carolina (June 2, 2022); Jane Doe v. Neighborhood Healthcare et al., Case No. 3:21-cv-01587-BEN-RBB, U.S. District Court for the Southern District of California (Sept. 8, 2022).