Supreme Court Declines Petition to Take on Data Breach Case Against South Carolina FQHC
The Supreme Court has declined to hear a case about whether a Federally Qualified Health Center (FQHC) is immune from liability over data breach that exposed the personally identifiable information of patients. Sandhills Medical Foundation is an FQHC that serves patients in the Chesterfield, Kershaw, Lancaster, and Sumter Counties in South Carolina. Sandhills used a vendor (Netgain Technologies) for electronic storage of its scheduling, billing, and reporting systems. The vendor notified Sandhills on January 8, 2021, about a ransomware attack on November 15, 2020. The ransomware group used compromised credentials to access its systems and steal sensitive data. Ransomware was deployed on December 3, 2020.
According to Sandhills, the breach involved the information of 39,602 patients. Health information was not compromised, although claims information may have allowed an attacker to determine diagnoses and conditions. The information stolen in the attack included names, dates of birth, mailing and email addresses, driver’s licenses, and Social Security numbers. One of the affected individuals, Joann Ford, took legal action over the data breach on behalf of herself and other similarly situated individuals. Ford received medical services at Sandhills in 2018 but ceased being a patient of Sandhills before the November ransomware attack. The data stolen in the attack included her personally identifiable information (PII) but not her protected health information (PHI). Her PII was later used to fraudulently apply for a loan.
Sandhills had the case removed to federal court for a determination on whether a federal immunity defense shielded it from liability. Ford provided her data to Sandhills as a condition of her treatment, and Sandhills demonstrated that the theft of the her PII arose out of the performance of medical, surgical, dental, or related functions. Under 42 U.S.C. § 233(a), the case was treated pursuant to the Federal Tort Claims Act (FTCA), and the District Court determined that Sandhills had immunity and the United States was substituted for Sandhills as the defendant.
The United States filed a motion to dismiss for lack of subject matter jurisdiction claiming the appellant failed to exhaust her administrative remedies with the Department of Health and Human Services before filing suit, as required by the FTCA. While the appellant conceded that was the case, she maintained that Sandhills was not shielded under § 233(a) since the provision of her PII to the vendor was not a medical, surgical, dental, or related function.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The District Court granted the motion to dismiss; however, the decision was appealed. The United States Court of Appeals for the Fourth Circuit ruled that § 233(a) did not apply to the claims, as Sandhills was not performing a related function when the hacker stole the appellant’s PII. The District Court’s decision was vacated in March 2024, and the case was remanded for further proceedings.
“If [§ 233(a)] applied to any action that a patient must take in order to receive healthcare, it would shield Sandhills from any and all claims despite their lack of relation to their treatment,” wrote the Appellate court. “Consider a scenario where, in anticipation of receiving healthcare, Appellant provided her PII and billing information to Sandhills but never showed up for her appointment. In that instance, Appellant would have suffered the same injury she alleges here from the data breach without ever even receiving treatment.” This week, the Supreme Court listed the lawsuit as Certiorari Denied, declining to take up the case.
