SCOTUS wont weigh in on FQHCs liability over patient data
pThe Supreme Court has declined to hear a case on whether a Federally Qualified Health Center is immune from liability over a former patients stolen personally identifying information PIIppThe classaction lawsuit stemmed from a patient who received care and provided that information to Sandhills Medical Foundation an FQHC in 2018pp
ppThe providers thirdparty computer system was hit with a cyberattack in late 2020 in which the plaintiffs PII but not her protected health information PHI was stolen and used to apply for a loanpp
pp
ppAs an FQHC Sandhills is considered a US Public Health Service employee and as such a protected entity when performing medical surgical dental or related functions It argued that the collection of the patients PII falls under those functions which would afford the FQHC immunity and see the US substituted as the defendant in line with a case brought pursuant to the Federal Tort Claims ActppThough the plaintiff filed her complaint in a South Carolina state court Sandhills argument saw the case removed to federal court where it successfully argued its immunity from the suitpp
ppThe federal judge confirmed Sandhills status in June 2022 ruling that the requirement to provide PII in order to receive treatment meant that the theft was a result of Sandhills performing medical surgical dental or related functions That ruling substituted the federal government as the defendant and was appealed later that yearppThe US Court of Appeals for the Fourth Circuit saw the situation differently In a March 2024 ruling it interpreted related functions to more closely cover healthcare provision as opposed to data security which is more akin to an administrative function It also highlighted the time gap between the patients receipt of care services and the cybersecurity incident and disagreed with the FQHCs argument that storage and maintenance of the plaintiffs PII was related to careppThere is no limiting principle to Sanhills position the appellate court wrote If the statute granting immunity applied to any action that a patient must take in order to receive healthcare it would shield Sandhills from any and all claims despite their lack of relation to their treatmentppConsider a scenario where in anticipation of receiving healthcare Appellant provided her PII and billing information to Sandhills but never showed up for her appointment In that instance Appellant would have suffered the same injury she alleges here from the data breach without ever even receiving treatment the court wroteppThe appellate court vacated the lower courts ruling and remanded for further proceedings Monday the Supreme Court listed the case Ford v Sandhills Medical Foundation Inc as Certiorari Denied meaning the top court declined the petition to take up the case p
ppThe providers thirdparty computer system was hit with a cyberattack in late 2020 in which the plaintiffs PII but not her protected health information PHI was stolen and used to apply for a loanpp
pp
ppAs an FQHC Sandhills is considered a US Public Health Service employee and as such a protected entity when performing medical surgical dental or related functions It argued that the collection of the patients PII falls under those functions which would afford the FQHC immunity and see the US substituted as the defendant in line with a case brought pursuant to the Federal Tort Claims ActppThough the plaintiff filed her complaint in a South Carolina state court Sandhills argument saw the case removed to federal court where it successfully argued its immunity from the suitpp
ppThe federal judge confirmed Sandhills status in June 2022 ruling that the requirement to provide PII in order to receive treatment meant that the theft was a result of Sandhills performing medical surgical dental or related functions That ruling substituted the federal government as the defendant and was appealed later that yearppThe US Court of Appeals for the Fourth Circuit saw the situation differently In a March 2024 ruling it interpreted related functions to more closely cover healthcare provision as opposed to data security which is more akin to an administrative function It also highlighted the time gap between the patients receipt of care services and the cybersecurity incident and disagreed with the FQHCs argument that storage and maintenance of the plaintiffs PII was related to careppThere is no limiting principle to Sanhills position the appellate court wrote If the statute granting immunity applied to any action that a patient must take in order to receive healthcare it would shield Sandhills from any and all claims despite their lack of relation to their treatmentppConsider a scenario where in anticipation of receiving healthcare Appellant provided her PII and billing information to Sandhills but never showed up for her appointment In that instance Appellant would have suffered the same injury she alleges here from the data breach without ever even receiving treatment the court wroteppThe appellate court vacated the lower courts ruling and remanded for further proceedings Monday the Supreme Court listed the case Ford v Sandhills Medical Foundation Inc as Certiorari Denied meaning the top court declined the petition to take up the case p
