Opinion
3:22-CV-00117-BSM
03-08-2024
ORDER
ARcare's motion to substitute the United States or, in the alternative, to dismiss [Doc. No. 25] is denied. ARcare's motion for stay pending a determination of the proper defendant [Doc. No. 23] is moot.
I. BACKGROUND
Plaintiffs in this putative class action were patients of ARcare, a federally funded health clinic, whose confidential health information was exposed in a breach of ARcare's computer system. Plaintiffs allege that ARcare negligently or recklessly maintained their records on a computer system that was vulnerable to cyberattacks. Compl. ¶¶ 4, 41, 86, 99-100, 104, 110. When ARcare requested the United States to intervene and substitute itself as the defendant pursuant to 42 U.S.C. § 233, the United States declined. See Doc. No. 27-1(determining that this suit does not seek “damage for personal injury, including death, resulting from the performance of medical, surgical, dental, or related functions”). ARcare then filed this motion to force the substitution of the United States, arguing that ARcare is immune from suit under 42 U.S.C. § 233(a) and that plaintiffs' exclusive remedy is against the United States under the Federal Torts Claim Act (“FTCA”), 28 U.S.C. § 1346(b).
II. LEGAL STANDARD
The Federally Supported Health Centers Assistance Act (“FSHCAA”), 42 U.S.C. § 233, extends immunity under the FTCA to federally funded community health centers that are deemed to be Public Health Service (“PHS”) employees by the United States Department of Health and Human Services. 42 U.S.C. § 233(g). PHS employees are granted immunity from claims “for damage for personal injury, including death, resulting from the performance of medical, surgical, dental, or related functions” while acting within the scope of their employment. 42 U.S.C. § 233(a). “Section 233(a) grants absolute immunity to PHS officers and employees for actions arising out of the performance of medical or related functions within the scope of their employment by barring all actions against them for such conduct.” Hui v. Castaneda, 559 U.S. 799, 806 (2010). When section 233 immunity applies, the United States is substituted as the defendant and the case proceeds as one brought under the FTCA. Friedenberg v. Lane Cnty., 68 F.4th 1113, 1118 (9th Cir. 2023).
III. DISCUSSION
ARcare's motion to substitute is denied because protecting patients' confidential information from a data breach is not a medical or related function for purposes of section 233(a) immunity. ARcare's motion presents two questions: Can a district court force substitution of the United States over its objection? And is ARcare immune from suit under section 233(a) for its failure to protect its patients' confidential information? The answer to the first question is yes; the answer to the second question is no.
A. Forced Substitution of the United States
The United States can be ordered to substitute for ARcare as defendant over its objection. The United States argues that section 233 does not permit forced substitution because the FSHCAA does not specifically provide for it. See United States v. Alexander, 725 F.3d 1117, 1121 (9th Cir. 2013) (presuming that Congress's drafting decisions are deliberate).
While the Eighth Circuit has yet to address the forced-substitution issue, courts have repeatedly “rejected the argument that they lack authority to assess immunity under § 233 and substitute the United States as a defendant over its objection.” Moretti v. Letty Owings Ctr., No. 3:21-CV-1525-SI, 2023 WL 6216279, at *5 (D. Or. Sept. 25, 2023). See also Kezer v. Penobscot Cmty. Health Ctr., No. 1:15-cv-00225-JAW, 2019 BL 141566, at *9 (D. Me. Mar. 21, 2019) (“the lack of a specific mechanism for substitution in § 233 does not prohibit the Court from ordering substitution as an exercise of its limited jurisdictional authority”); C. K. v. United States, No. 19-CV-2492 TWR (RBB), 2020 WL 6684921, at *4 (S.D. Cal. Nov. 12, 2020) (district court has the ability to effect substitution of the United States if necessary when § 233 immunity applies).
For these reasons, the United States can be ordered to substitute for ARcare if ARcare is immune from suit under section 233(a). If section 233(a) immunity applies, the case will proceed as one brought against the United States, and the United States cannot pick and choose when it wishes to be substituted as defendant.
B. Immunity for Failure to Protect Private Information
ARcare is not immune from suit because securing patients' confidential information is not a medical or related function under section 233(a). The parties do not dispute that ARcare was a deemed PHS employee during the relevant time period. See Notices of Deeming Action, Mot. to Substitute Ex. 1, Doc. No. 25-1. They dispute whether plaintiffs' claims are for damage from personal injury resulting from ARcare's performance of medical or related functions.
Cases involving section 233(a) immunity typically “arise when a patient sues an entity or its employee for injuries resulting from medical treatment, and the entity or employee seeks coverage under this provision in order to be immune from suit.” Brignac v. United States, 239 F.Supp.3d 1367, 1374 (N.D.Ga. 2017). But immunity under section 233(a) is not limited to medical malpractice claims. Cuoco v. Moritsugu, 222 F.3d 99, 108 (2d Cir. 2000). Immunity may apply when “job functions . . . are ‘interwoven'” with the provision of medical care. Goss v. United States, 353 F.Supp.3d 878, 886 (D. Ariz. 2018). See, e.g., Friedenberg, 68 F.4th at 1130 (failure to report violations of court-ordered treatment plan to the court was “related” to provision of medical services); Brignac, 239 F.Supp.3d at 1377 (claim of negligent hiring and retention of doctor is “related function” to the provision of medical services); and Teresa T. v. Ragaglia, 154 F.Supp.2d 290, 300 (D. Conn. 2001) (duty of doctor to report suspected child abuse is a “‘related function' to the doctor's performance of medical services”). In these cases, the conduct held to be a related function under section 233(a) has a “distinct connection to the provision of medical, surgical, or dental services.” Friedenberg, 68 F.4th at 1130.
The Eighth Circuit has not considered whether section 233(a) immunity applies to a claim for failure to secure and protect confidential patient information, but some district courts have held that maintenance of confidential records is a function related to the provision of medical services. In Kezer, 2019 BL 141566, at *8, the court concluded that clinic employees' failure to keep medical records confidential while performing quality improvement activities is a “related function.” In Mele v. Hill Health Ctr., No. 3:06CV455 (SRU), 2008 WL 160226, at *3 (D. Conn. Jan. 8, 2008), the court held that a patient's claim that a provider improperly disclosed his treatment information concerns “the related function of ensuring the privacy of patient medical information.”
A few courts have directly addressed whether section 233(a) immunity applies to claims alleging the failure to protect patient information from a data breach. In Mixon v. CareSouth Carolina, Inc., No. 4:22-CV-00269-RBH, 2022 WL 1810615, at *5 (D.S.C. June 2, 2022), the court held that a health center was immune because the “alleged data breach arose out of [the health center's] performance of medical or related functions”; see also Ford v. Sandhills Med. Found., 4:21-cv-2307-RBH, 2202 WL 1810614, at *6 (D.S.C. June 2, 2022). Similarly, in Doe v. Neighborhood Healthcare, 3:21-cv-1587-BEN-RBB, 2022 WL 17663520, at *7 (S.D. Cal. Sept. 8, 2022), the court concluded that failure to protect confidential information from unauthorized access “is a related function because maintaining confidential personal and health information is necessary to effectively treat patients.” By contrast, the court in Marshall v. Lamoille Health Partners, Inc., No. 2:22-CV-166, 2023 WL 2931823, at *5 (D. Vt. Apr. 13, 2023) held that protecting patient information from a cyberattack was not a related function, reasoning that “technology-related activities” were not “‘interwoven' with the provision of medical care” but “instead consisted of security-related work by information technology and compliance personnel in a health care setting.”
ARcare points to statutes and regulations governing community health centers to support its argument that section 233 immunity applies. In order to receive federal funding, ARcare must “have an ongoing quality improvement system that includes clinical services and management, and that maintains the confidentiality of patient records.” 42 U.S.C. § 254b(k)(3)(C). But this statutory requirement to maintain confidentiality applies to the center's quality improvement system, which is not at issue here. Regulations require ARcare to “[i]mplement a system for maintaining the confidentiality of patient records,” 42 C.F.R. § 51c.303 ” and to hold confidential “[a]ll information as to personal facts and circumstances obtained by the project staff about recipients of services.” 42 C.F.R. § 51c.110. While these provisions demonstrate the importance of patient confidentiality, they do not conclusively establish that protecting private information on computer networks is a “related function” to providing medical care.
All things considered, I conclude that ARcare's failure to use “reasonable security procedures and practices appropriate to . . . sensitive, unencrypted information,” as alleged in the complaint, is not a “related function” sufficient to confer immunity under section 233(a). Most cases in which courts have applied section 233(a) immunity to claims for failure to protect private information involve conduct that occurred during the course of medical treatment within the context of the provider-patient relationship. See, e.g. Friedenberg, 68 F.4th at 1130 (finding there is a “distinct connection” to the provision of medical services); Mele, 2008 WL 160226, at *3 (the disclosure of a patient's medical information occurred during the course of treatment); Kezer, 2019 BL141566, at *6 (the disclosure occurred during an investigation of patients' complaints about a doctor). By contrast, the conduct at issue here, occurred outside of the provision of medical services. It is not “interwoven” with the provision of medical care. See Marshall, 2023 WL 2931823, at *5; Goss, 353 F.Supp.3d at 886. Nor is it tied to ARcare employees' “status as medical health professionals.” Friedenberg, 68 F.4th at 1130. The nexus between protecting private information from cyberattacks and the provision of medical care is not sufficient to render ARcare's failure to protect that information a “related function” under section 233(a). Therefore, section 233(a) immunity does not apply.
C. Motion to Dismiss
Because ARcare is not immune from suit, ARcare's alternative request to dismiss the complaint for failure to state a claim which is premised on immunity is denied.
IV. CONCLUSION
For the foregoing reasons, ARcare's motion to substitute the United States or, in the alternative, to dismiss is denied, and its motion to stay is moot.
IT IS SO ORDERED