A pair of recently-issued court decisions provide significant assistance to healthcare providers who are considered Federally Qualified Health Centers (FQHC) and are facing litigation following a data security incident; both appear to be cases of first impression.
The United States District Court for the District of South Carolina found that FQHCs who tender the defense of data security claims to the federal government under the Federal Tort Claims Act (FTCA) (28 U.S.C. § 1346(b)) may substitute the United States as a defendant. Under the FTCA, a FQHC is entitled to absolute immunity “…for actions arising out of the performance of medical or related functions…” (Hui v. Castaneda, 559 U.S. 799, 806 (2010), citing 42 U.S.C. § 233(a)). Thus, for claims subject to the FTCA, a plaintiff must bring his or her claim against the United States, rather than the FQHC itself. Historically, the FTCA had only been applied to medical malpractice claims, and until now, it was a disputed issue whether the FTCA could be invoked by a FQHC facing litigation over a data security incident.
The same District Court, in Mixon v. Caresouth Carolina, Inc. (Case No. 4:22-cv-00269) and Ford v. Sandhills Medical Foundation (Case No. 4:21-cv-02307), granted a motion to substitute the United States in place of an FQHC sued over a data security incident, despite the motion having been opposed by the United States itself.
The District Court found that both of the above-mentioned data security incidents arose out of medical functions subject to the FTCA. Because patients were required to provide their personal information to the FQHCs to receive medical services, and federal law imposes a duty to maintain the confidentiality of patients’ medical information, the United States is the appropriate defendant. Accordingly, due to the immunity provided to FQHCs under the FTCA, the FQHCs are no longer defendants in the litigation.
Although it remains possible other courts will decide these issues differently, these decisions are a welcome development for FQHCs facing litigation stemming from data security incidents.
Mullen Coughlin incorporates this development into its strategic advice to its clients. We will continue to monitor evolving case law on these and other issues relevant to data security litigation and will provide related updates as warranted.
If you have any questions about these cases, how it may affect your organization or if you have been faced with data security litigation, please contact the Mullen Coughlin Litigation team – Claudia McCarron (; 267.930.4787) or Jim Monagle (; 267.930.1529).