USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 1 of 20

PUBLISHED

UNITED STATES COURT OF APPEALS FOR THE FOURTH CIRCUIT

No. 22-2268

JOANN FORD, on behalf of herself and all others similarly situated,

Plaintiff - Appellant,

and

UNITED STATES OF AMERICA,

Defendant - Appellee,

v.

SANDHILLS MEDICAL FOUNDATION, INC.,

Defendant - Appellee.

Appeal from the United States District Court for the District of South Carolina, at Florence. R. Bryan Harwell, Chief District Judge. (4:21-cv-02307-RBH)

Argued: December 7, 2023 Decided: March 29, 2024

Before THACKER, HARRIS, and RICHARDSON, Circuit Judges.

Vacated and remanded by published opinion. Judge Thacker wrote the opinion in which Judge Harris and Judge Richardson joined.

ARGUED: John A. Yanchunis, MORGAN & MORGAN, P.A., Tampa, Florida, for Appellant. Kevin Joseph Kennedy, UNITED STATES DEPARTMENT OF JUSTICE, USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 2 of 20

Washington, D.C., for Appellee. Matthew Sidney Freedus, FELDESMAN TUCKER LEIFER & FIDELL, LLP, Washington, D.C., for Appellee. ON BRIEF: Kenya J. Reddy, MORGAN & MORGAN, P.A., Tampa, Florida, for Appellant. Brian M. Boynton, Principal Deputy Assistant Attorney General, Mark B. Stern, Dana L. Kaersvang, Civil Division, UNITED STATES DEPARTMENT OF JUSTICE, Washington, D.C.; Samuel R. Bagenstos, General Counsel, Michael I. Goulding, Associate General Counsel, Robert H. Murphy, Sean M. Flaim, General Law Division, UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES, Washington, D.C.; Adair F. Boroughs, United States Attorney, OFFICE OF THE UNITED STATES ATTORNEY, Columbia, South Carolina, for Appellee United States. Rosie Dawn Griffin, FELDESMAN TUCKER LEIFER FIDELL, LLP, Washington, D.C.; Michael D. Wright, SAVAGE, ROYALL & SHEEHAN, LLP, Camden, South Carolina; Jessica L. Fickling, STROM LAW OFFICE, Columbia, South Carolina, for Appellee Sandhills Medical Foundation, Inc.

2 USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 3 of 20

THACKER, Circuit Judge:

Joann Ford (“Appellant”), on behalf of herself and all others similarly situated, filed

a complaint in South Carolina state court, alleging claims for negligence, breach of implied

contract, invasion of privacy, and breach of confidentiality against Sandhills Medical

Foundation, Inc. (“Sandhills”) for failure to properly maintain her personally identifying

information (“PII”) and protected health information (“PHI”). Appellant provided this

information to Sandhills as a condition of her treatment when she was a patient in 2018.

After Appellant ceased being a patient at Sandhills, Appellant’s PII was stolen from

Sandhills’ third party computer system in a cyberattack in late 2020. Appellant’s PHI was

not affected by the cyberattack.

Sandhills removed the case to federal court for a determination as to whether a

federal immunity defense shielded it from liability. In order for Sandhills to be immune

from suit, it had to demonstrate that Appellant’s alleged damages resulted “from the

performance of medical, surgical, dental, or related functions.”

(a). If

§ 233(a) applies, then the case is treated as one brought pursuant to the Federal Tort Claims

Act (“FTCA”), Sandhills is afforded immunity, and the United States is substituted for

Sandhills as the defendant.

The district court concluded that Sandhills was immune from suit and the United

States was substituted for Sandhills as the defendant pursuant to § 233(a). In coming to

this conclusion, the district court reasoned that because Appellant was required to provide

her PII to Sandhills in order to receive treatment, the theft of her PII arose out of Sandhills’

performance of “medical, surgical, dental, or related functions.”

3 USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 4 of 20

But as explained below, we conclude that § 233(a) does not apply to Appellant’s

claims because Sandhills was not performing a related function when an unnamed third

party hacked and stole Appellant’s PII.

Therefore, we vacate and remand.

I.

A.

Sandhills is a South Carolina nonprofit health center that receives federal funding

pursuant to the Public Health Service Act, 42 U.S.C. § 254b et seq., (the “PHS Act”) to

provide primary health care and related services to medically underserved communities in

South Carolina. This case arises from a cyberattack in late 2020, during which unknown

bad actors stole the electronically stored PII of Sandhills’ patients, including Appellant.

Appellant was a Sandhills patient from approximately 2018 to 2019. In order to

provide her treatment, Sandhills requested, collected, and stored Appellant’s PII. At the

time, Sandhills did not store its patients’ PII locally, but instead hired a third party vendor

and utilized the vendor’s online data storage platform to store the information.

In late 2020, the third party vendor’s computer system was hacked, resulting in the

disclosure of Appellant’s PII. Sandhills did not learn of the breach until January 8, 2021.

And on or about March 5, 2021, Sandhills announced the security breach to its current and

former patients. Thereafter, in a public notice to its patients, Sandhills shared that it had

“determined that patient medical records, lab results, medications, credit card numbers, and

4 USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 5 of 20

bank account numbers were NOT affected.” J.A. 34 (emphasis in original). 1 Rather, the

impacted data included patient names, dates of birth, mailing and email addresses, driver’s

licenses and state identification cards, social security numbers, and insurance claims

information that could be used to identify medical conditions.

On April 2, 2021, an unknown and unauthorized individual used Appellant’s PII to

apply for a $500 loan. Appellant asserts that she spent time dealing with this fraudulent

use of her PII and remains concerned about the potential for further loss of privacy and

fraud from unauthorized individuals using her stolen information. She also alleges that she

suffered lost time, annoyance, interference, and inconvenience as a result of the data

breach. Appellant claims she suffered “imminent and impending injury arising from the

substantially increased risk of fraud, identity theft, and misuse” resulting from

unauthorized persons possessing her PII. J.A. 41.

B.

On June 18, 2021, Appellant filed a Complaint in the Court of Common Pleas for

Chesterfield County, South Carolina, alleging that Sandhills failed to safeguard her PII,

which resulted in a fraudulent loan application in her name. Appellant styled her

Complaint as a proposed nationwide class action, to include those current and former

patients “whose PII or PHI was exposed to an unauthorized party.” J.A. 42. Appellant

alleged claims for negligence, breach of implied contract, invasion of privacy, and breach

of confidentiality based on Sandhills’ failure to: (1) adequately protect the PII and PHI of

1 Citations to the “J.A.” refer to the Joint Appendix filed by the parties in this appeal.

5 USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 6 of 20

Appellant and the class; (2) warn Appellant and the class of its inadequate information

security practices; and (3) avoid sharing the PII and PHI of Appellant and the class without

adequate safeguards.

After Sandhills was served the complaint, it notified the United States Attorney

General, claiming that it was “entitled to absolute immunity from this civil action, as it

resulted from Sandhills’ performance of medical or related functions.” 2 J.A. 65. After the

time elapsed for the United States to make an appearance, Sandhills removed the action to

the United States District Court for the District of South Carolina. In its removal, Sandhills

argued the district court had subject matter jurisdiction over the case for three reasons.

First, Sandhills relied on

(l)(2), a federal removal statute that

permits a community health center recipient of federal grant funds to remove a case to

federal court to determine the applicability of

(a) -- a federal immunity

defense for qualifying private health centers that receive federal grant money. Section

233(a) shields qualifying health centers from damages arising “from the performance of

medical, surgical, dental, or related functions, including the conduct of clinical studies or

2 If a suit covered by § 233(a) is brought in state court, the PHS defendant may notify the Attorney General.

(l)(1). The Attorney General then has fifteen days to make an appearance in the state court and advise the court whether the defendant “is deemed to be an employee of the Public Health Services for purposes of this section with respect to the actions or omissions that are the subject of” the action.

This operates as the Attorney General certifying that the PHS defendant was acting in scope of employment. Id.; § 233(c). If fifteen days pass with no response from the Attorney General, “the civil action or proceeding shall be removed to the appropriate United States district court.” § 233(l)(2). Once removed to federal court, the merits of the action “shall be stayed in such court until such court conducts a hearing, and makes a determination, as to” whether the claim falls within § 233(a). Id.

6 USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 7 of 20

investigation.” Sandhills argued that § 233(a) should apply to its data security functions,

making it immune from suit, because it collects patient PII as a condition of providing

treatment. Therefore, Sandhills contended that its maintenance of patient PII was

inextricably woven into its provision of health care and thus qualified its data security as a

“related” function of medical care.

Second, in support of removal, Sandhills cited

(a)(1), which

permits any officer of the United States or of any federal agency -- or any person acting

under that officer -- to remove a case against them in their official or individual capacity

to federal court, even when the underlying federal question arises only as a defense to a

state law claim. See Jefferson Cnty., Ala. v. Acker,

(1999). Sandhills

argued that, as “an officer, or a person acting under a federal officer” as a Public Health

Service (“PHS”) employee, it had a right to remove the case pursuant to § 1442(a)(1). J.A.

9.

And finally, Sandhills argued that federal question jurisdiction existed pursuant to

because the substance of Appellant’s action hinges on § 233(a).

Sandhills also requested that the district court substitute the United States for

Sandhills as the defendant pursuant to § 233(a). Agyin v. Razmzan,

, 184 (2d

Cir. 2021) (citing

(a)) (stating that a defendant “is entitled to immunity

from suit and to substitution of the United States as the defendant if this suit concerns

actions [a federal employee] took within the scope of his employment as a deemed federal

employee”).

7 USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 8 of 20

Pursuant to § 233(1)(2), the case was automatically stayed until the district court

could resolve the removal issue. And the district court ordered Sandhills to file a motion

to substitute the United States and to “confer with government counsel regarding whether

Sandhills is entitled to immunity from suit and to substitution of the United States as the

defendant.” J.A. 4. Sandhills filed the motion to substitute, arguing that it should be

immune from suit and the United States must be substituted for it as the defendant pursuant

to

(a). Thereafter, the United States filed a statement of interest expressing

its position that Sandhills was not entitled to immunity because collecting and storing its

patients’ PII was not inextricably woven into the performance of medical, surgical, or

dental functions such that Sandhills’ data security should qualify as a “related” function

within the meaning of § 233(a). The district court held a hearing on the motion, at which

Sandhills, the United States, and Appellant were all heard.

Ultimately, the district court concluded that Sandhills was entitled to remove the

case to federal court and to immunity and substitution of the United States. The district

court reasoned that because Sandhills required Appellant to provide her PII as a condition

of being a patient and receiving medical services, the breach of its systems containing such

information arose out of Sandhills’ performance of medical or “related functions” within

the meaning of § 233(a). And the district court supported this conclusion by pointing to

Sandhills’ “statutory requirement of confidentiality,” which the district court believed was

“inextricably woven” into Sandhills’ provision of health care such that it amounts to a

“related” function. J.A. 267.

8 USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 9 of 20

Once substituted as the defendant, the United States filed a motion to dismiss for

lack of subject matter jurisdiction asserting that Appellant had failed to exhaust her

administrative remedies with Health and Human Services before filing suit as required by

the FTCA. Appellant conceded that she had not exhausted her administrative remedies,

but she maintained that § 233(a) did not shield Sandhills from suit as the storage of her PII

with a third party vendor was not a not a “medical, surgical, dental, or related function[].”

Therefore, in Appellant’s view, substituting the United States was improper as the claims

did not fall within the purview of § 233(a) and therefore the FTCA did not apply. And if

the FTCA did not apply, then Appellant was not required to exhaust her administrative

remedies prior to suit.

The district court, finding no grounds to overturn its prior decision, granted the

motion to dismiss for lack of subject matter jurisdiction. This appeal followed.

On appeal, Appellant argues that Sandhill’s data storage practice, including the

maintenance of her PII, is too removed from the provision of health care to amount to a

“related” function such that Sandhills cannot receive § 233(a) immunity and, therefore, the

case should not be treated as one brought pursuant to the FTCA. We agree with Appellant.

II.

Because the application of § 233(a) is a question of law, we review de novo the

district court’s conclusion that § 233(a) shields Sandhills from suit, as well as the

substitution of the United States. S.C. Wildlife Fed’n v. Limehouse,

(4th

Cir. 2008) (“[T]he existence of sovereign immunity is a question of law that we review de

novo.” (alterations in original) (internal quotation marks omitted)); Gutierrez de Martinez

9 USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 10 of 20

v. Drug Enf’t Admin.,

, 1152 (4th Cir. 1997). And we also review de novo

the district court’s dismissal of Appellant’s claims. Pledger v. Lynch,

(4th

Cir. 2021).

III. Whether Data Security Amounts to a “Related” Function Within the Purview of § 233(a)

A. The Federally Supported Health Centers Assistance Act

Pursuant to the Federally Supported Health Centers Assistance Act (“FSHCAA”),

private health centers that receive federal funds may be considered PHS employees if

certain conditions are met. Friedenberg v. Lane Cnty.,

(9th Cir. 2023)

(citing

(g)). Appellant does not challenge Sandhills’ status as a PHS

employee. If an entity receives PHS employee status, then § 233(a) provides the entity

immunity from “damage for personal injury, including death, resulting from the

performance of medical, surgical, dental, or related functions, including the conduct of

clinical studies or investigation, by any commissioned officer or employee of the Public

Health Service while acting within the scope of his office or employment.”

(a) (emphasis supplied).

If a claim is subject to § 233(a), then the claim is treated as one brought against the

United States within the purview of the FTCA. Hui v. Castaneda,

(2010)

(“Section 233(a) makes the FTCA remedy against the United States exclusive of any other

civil action or proceeding for any personal injury caused by a PHS officer or employee

performing a medical or related function while acting within the scope of his office or

employment.” (internal quotation marks omitted)). If the FTCA applies, the United States

10 USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 11 of 20

is substituted as a defendant. See

(a); Hui, 559 U.S. at 801–02 (“When

federal employees are sued for damages for harms caused in the course of their

employment, the . . . FTCA . . . generally authorizes substitution of the United States as the

defendant.”); see also Agyin v. Razmzan,

, 184 (2d Cir. 2021) (“[A PHS

employee] is entitled to immunity from suit and to substitution of the United States as the

defendant if this suit concerns actions he took within the scope of his employment as a

deemed federal employee.”).

Thus, the FSHCAA “essentially makes the U.S. government the medical

malpractice insurer for qualifying . . . health centers, their officers, employees, and

contractors, allowing these ‘deemed’ health centers to forgo obtaining private malpractice

insurance.” Dedrick v. Youngblood,

, 745 (11th Cir. 2000). “This designation

enables centers caring for underserved populations to spend their money on patient care

rather than malpractice premiums.” Chronis v. United States,

, 546 n.1 (7th

Cir. 2019).

B. Data Security Does Not Amount to a “Related” Function Within § 233(a)

We now turn to whether § 233(a) shields Sandhills from Appellant’s suit, which

arose out of Sandhills’ allegedly negligent storage of her PII with a third party vendor. In

this regard, the question we face is whether data security is a “medical, surgical, dental, or

related function[]” that qualifies for § 233(a) immunity. In this instance, it is not.

11 USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 12 of 20

1. Based on the plain language of § 233(a), data security is not a related function within the meaning of the statute

Clearly, the storage of patient PII is not in and of itself a medical, surgical, or dental

function. Therefore, to fall within the purview of § 233(a), it must be a “related” function.

In assessing what may be a “related” function, we first look to the plain language of

the statute. See Lynch v. Jackson,

(4th Cir. 2017) (“We start as we must

with the plain language of the statute because when the statute’s language is plain, the sole

function of the courts—at least where the disposition required by the text is not absurd—

is to enforce it according to its terms.” (internal quotation marks omitted)).

Appellant contends that the plain language of the statute supports that a general term

like “related functions” must be construed to embrace only the words that come before it -

- medical, surgical, and dental. Appellant therefore argues that the collection and storage

of PII does not amount to a “related” function of medical, surgical, or dental services where

“[c]ollecting such information does not depend on a medical, surgical, or dental

professional’s skill, knowledge, or judgment.” Appellant’s Opening Br. at 17–18. In

response, Sandhills argues that the word “related” must be broadly interpreted such that

the statute covers “ancillary functions” to medical services. Sandhills Resp. at 15. We

agree with Appellant that a more limited interpretation of “related functions” is proper.

We begin with the meaning of the words “related” and “function.” Related is

defined as “connected by relation,” “having close harmonic connection.” Webster’s

Seventh New Collegiate Dictionary 723 (1969), and “having mutual . . . connection,”

12 USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 13 of 20

Oxford English Dictionary (compact ed. 1971). 3 And “function” is defined not as any

given activity, but as “the action for which one is particularly fitted or employed,”

Webster’s, supra at 338, and “[t]he nature and proper action of anything; activity

appropriate to any business or profession,” Black’s Law Dictionary (4th ed. 1968). Thus,

a “related function[]” is an activity particularly fitted to whatever is connected to whatever

proceeds the phrase. In other words, its meaning depends on the words that come before

it.

Within § 233(a), the language “related functions” acts as a general catchall for

specific functions -- “the performance of medical, surgical, [or] dental” functions.

(a). “[W]here general words follow specific words in a statutory enumeration,

the general words are construed to embrace only objects similar in nature to those objects

enumerated by the preceding specific words.” Cir. City Stores, Inc. v. Adams,

, 114–15 (2001) (internal quotation marks omitted); see also Robinson v. Shell Oil Co.,

(1997) (“The plainness or ambiguity of statutory language is determined

by reference to the language itself, the specific context in which that language is used, and

the broader context of the statute as a whole.”). We therefore construe a general term like

“related” as sharing the attributes of the specific words in the list. See Yates v. United

States,

, 544 (2015) (applying the principle of noscitur a sociis to limit

3 Because § 233(a) was originally added to the PHS Act in 1970, see PL 91-623,

(1970), we employ definitions from that time to interpret Congress’ intent. Wisc. Cent. Ltd. v. United States,

(2018) (“[O]our job is to interpret the words consistent with their ordinary meaning . . . at the time Congress enacted the statute.” (internal quotation marks omitted)).

13 USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 14 of 20

“tangible object” to those items similar to “record” or “document” as opposed to the fish

at issue in the investigation). As a matter of plain meaning, medical, surgical, and dental

all fit into one category – they are adjectives that describe various fields of health care. 4

Staying true to Congress’ intent, we read a “related” function as fitting within that category,

or in other words, a field of health care outside of medicine, surgery, or dentistry. See

Wikimedia Found. v. Nat’l Sec. Agency,

(4th Cir. 2021) (applying

noscitur a sociis as limiting the phrase “such other material” to the two preceding

conditions in a list).

The words immediately following “related functions” also cabin its contextual

meaning. The statute exemplifies “related functions” as “including the conduct of clinical

studies or investigation.”

(a). This provides further support for the position

4 One might jump to the thought that surgery is merely a subset of medicine. And in some sense that is true. But this generalization misses the long-standing distinctions between medicine and surgery. Surgery involves bodily invasion while medicine is generally non-invasive. See Ankur Aggarwal, The Evolving Relationship Between Surgery and Medicine, 12 AMA J Ethics 119, 119 (2010) (“Medicine’s two branches—the less invasive medical methods and the more invasive surgical methods—have been around since before the existence of written language. Surgery, however, was not viewed as belonging to the same sphere as medical treatments until relatively recently, and, even now, a sharp distinction exists between surgeons and other medical doctors. Analyzing the history of surgery can help explain the separation between medical and surgical treatments and why the two fields, although viewed quite differently, fit under the umbrella of medicine.”); Connor T.A. Brenna & Sunit Das, Divides of Identity in Medicine and Surgery: A Review of the Duty-Hour Policy Preference, 57 Annals of Medicine and Surgery 1, 2 (2020) (noting the known and intuitive differences between Medicine and Surgery, including their historical origins); Fitzhugh Mullan, Big Doctoring in America 36 (2002) (“The philosophical difference between ‘medicine’ and ‘surgery’ is a time-honored one.”); Dorland’s Illustrated Medical Dictionary 785 (26th ed. 1985) (defining “medical” in part as “pertaining to medicine as opposed to surgery”).

14 USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 15 of 20

that “related functions” explicitly encompasses only the provision of health care. Both the

Supreme Court and this court have held that the word “including” “connotes simply an

illustrative application of [a] general principle.” United States v. Hawley,

(4th Cir. 2019) (quoting Fed. Land Bank of St. Paul v. Bismarck Lumber Co.,

(1941)). Insofar as “related functions” include providing treatment or diagnoses

in a clinical study, there is little support for the notion that data security, which is more

akin to an administrative function, should be included within the meaning of § 233(a).

Defining § 233(a)’s scope to extend only to the provision of health care also makes

sense because the subsection provides that the United States will be substituted as

defendant solely for claims “for damage for personal injury, including death.” Misfeasance

in the provision of health care would most likely lead to personal injury or death. A wider

definition of “related functions” may improperly broaden § 233(a) to encompass

misfeasance that results in other types of damages, such as contract damages.

When employing the canons of construction and considering the plain meaning of

the words in § 233(a), we discern no ambiguity in the phrase “related functions.” As such,

in order to trigger immunity, alleged damages giving rise to a lawsuit must arise from the

provision of health care. See

(a). As explained below, Appellant’s alleged

damages do not.

2. Appellant’s alleged damages did not occur because of the provision of health care

Appellant’s claims arose when unknown bad actors hacked Sandhills’ third party

vendor’s computer system and stole Appellant’s PII at least a year after she had ended her

15 USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 16 of 20

treatment at Sandhills. Here, Appellant’s PII was not released as a result of the provision

of health care. Appellant’s PII was not inappropriately divulged as a result of Sandhills

providing health care to Appellant. In comparison, in Mele v. Hill Health Center, which

Sandhills argues supports its position, the alleged injury arose when the patient’s sensitive

information was “improperly disclosed” to another provider at the direction of a medical

professional in relation to the patient’s treatment. See

, at *3 (D. Conn.

Jan. 8, 2008). The plaintiff’s injury in Mele, unlike Appellant’s, “concern[ed] the medical

functions of providing treatment.”

But here, the allegedly improper release of Appellant’s PII did not occur because of

Sandhills’ performance of the provision of health care. Therefore, Appellant’s damages

did not arise from any action taken by Sandhills “in [its] capacity as a doctor responsible

for, [or] in the course of rendering medical treatment for” Appellant. See Cuoco, 222 F.3d

at 109 (applying § 233(a) immunity to constitutional violation claim arising out of denial

of gender affirming care for pre-trial detainee). This is especially true in this case where,

at the time of the unexpected cyberattack, Appellant was no longer receiving any treatment

at Sandhills and had not been a Sandhills patient for at least a year.

Nonetheless, Sandhills argues that its storage and maintenance of Appellant’s PII

was “related” to her health care treatment because Appellant was required to provide this

information in order to receive treatment from Sandhills. Sandhills’ interpretation misses

the mark. Sandhills is shielded only from those damages that arise from its performance

of “related functions” within the meaning of § 233(a). Data protection is not an activity

the medical field in which Sandhills operates is “particularly fitted to” execute, nor is any

16 USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 17 of 20

“related” field of health care. Webster’s, supra at 338. This is highlighted by the fact that

Appellant alleges that Sandhills retains the relevant data “even after the [patient]

relationship ends.” J.A. 30 (emphasis added). Therefore, the fact that Appellant was

required to provide her billing information prior to receiving treatment cannot shield

Sandhills when the injury did not occur because of any provision of health care.

There is no limiting principle to Sandhills’ position. If § 233(a) applied to any

action that a patient must take in order to receive health care, it would shield Sandhills from

any and all claims despite their lack of relation to their treatment. Consider a scenario

where, in anticipation of receiving health care, Appellant provided her PII and billing

information to Sandhills but never showed up for her appointment. In that instance,

Appellant would have suffered the same injury she alleges here from the data breach

without ever even receiving treatment. Similarly, Appellant’s alleged injury could have

resulted from a data breach at a host of businesses to which she likely discloses her PII,

none of which are involved in the provision of health care, including an employer, an entity

involved in a banking, financial, or real estate transaction, or an insurance company. In

sum, the focus is on the function that caused the injury, and, here, Appellant was not injured

by any health care provided by Sandhills.

3. Sandhills’ statutory duty to maintain patient confidentiality cannot override § 233(a)’s mandate that alleged damages arise during the performance of a medical or “related” function

Sandhills also argues that based on its statutory and ethical duty to maintain the

confidentiality of patient information, it should be accorded immunity pursuant to § 233(a).

17 USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 18 of 20

Sandhills relies on its statutory duty pursuant to the FSHCAA to “have an ongoing quality

improvement system . . . that maintains the confidentiality of patient records” to argue that

its patient record systems should qualify as “related functions.” See 42 U.S.C.

§ 254b(k)(3)(C). Sandhills posits that because it must show that it maintains these systems

in order to receive grant money, then data security is included in the provision of health

care.

But the requirements to receive federal grant money on which Sandhills relies are

separate and apart from § 233(a) immunity. In fact, a health center that qualifies to receive

federal grant money need not even apply to be considered a PHS employee. See

(g)(1)(D) (the Secretary may not “deem an entity . . . to be an employee of the Public

Health Service for purposes of this section, . . . unless the entity has submitted an

application”);

§ 233(g)(1)(G)(ii) (allowing federal grant recipients “that ha[ve] not

submitted an application . . . to purchase medical malpractice liability insurance coverage

with Federal funds”). And as previously discussed, without PHS employee status, § 233(a)

does not apply. Of note, there is no mention of data security or systems in § 233.

Therefore, Sandhills’ argument that Congress intended data security to be a “related”

function lacks credence.

Nor does Sandhills’ duty to keep patient information confidential mean that

Appellant’s claims arose from a “medical, surgical, dental, or related functions.”

(a). Sandhills points to Krandle v. Refuah Health Center, Inc. to support its argument

that its duty to protect patient information makes data security a “function . . . essential to

the practice of medicine.” See No. 22cv4977,

, at *9 (S.D.N.Y. Mar.

18 USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 19 of 20

12, 2024). Not only is Krandle not binding precedent on this court, but it fails to focus on

whether the alleged damages arose as a result of the provision of health care to the injured

party. See

In the case of this data breach, they did not. 5 Simply because Sandhills has

a duty to keep Appellant’s information confidential does not mean that the release of her

PII resulted from Sandhills’ provision of health care.

The same applies to Sandhills’ maintenance of any medical billing codes. In her

complaint, Appellant alleges that Sandhills failed to properly secure its billing codes which

could reveal her medical diagnoses. But again, § 233(a) requires that cause of Appellant’s

injury be the provision of health care. And even so, the development and protection of the

codes is not part of the provision of health care. Instead, medical coding is typically a by-

product, separate and apart from the provision of heath care, performed by coders who

review documentation of a patient’s visit to assign it the appropriate billing code. These

are not categories within the provision of health care. Rather, they are administrative

operations.

Again, to determine whether § 233(a) immunity applies, the focus is on the function

-- not the duty. See Cuoco, 222 F.3d at 109 (emphasizing that it is the conduct, not the

style of the claim, that determines whether § 233(a) immunity applies). Appellant does not

allege that Sandhills provided deficient health care or improperly collected her information

5 Similarly, Hale v. ARcare, Inc., also provided by Sandhills, is not binding on this court. See No. 3:22cv117,

, at *3 (E.D. Ark. Mar. 8, 2024). But Hale’s conclusion that damages arising from a data security breach do not “occur[] during the course of medical treatment within the context of the provider-patient relationship” more closely aligns with the language of § 233(a).

19 USCA4 Appeal: 22-2268 Doc: 55 Filed: 03/29/2024 Pg: 20 of 20

as a part of her treatment. Indeed, Appellant’s alleged damages arose from a data security

breach that occurred at least a year after she ceased being a patient at Sandhills. Because

Appellant’s injury did not arise from Sandhills’ provision of health care, § 233(a) does not

shield Sandhills from Appellant’s claims. Id.

And because § 233(a) does not apply, the United States cannot be substituted for

Sandhills as the defendant. Section 233(a) allows the United States to be substituted only

if the action falls within the scope of immunity. Hui,

. Because § 233(a)

does not apply, Appellant’s claims cannot be treated as ones brought pursuant to the FTCA,

and thus, the substitution of the United States for Sandhills was in error. It then necessarily

follows that the district court erred when it required Appellant to have exhausted her

administrative remedies pursuant to the FTCA in order to maintain her suit.

IV.

For these reasons, the district court’s order applying immunity pursuant to § 233(a)

and substituting the United States for Sandhills as the defendant is vacated. We remand

for further proceedings consistent with this opinion.

VACATED AND REMANDED

20