Opinion
2:22-cv-166
04-13-2023
PATRICIA MARSHALL, on behalf of herself and all others similarly situated, Plaintiff, v. LAMOILLE HEALTH PARTNERS, INC., Defendant.
OPINION AND ORDER
William K. Sessions III U.S. District Court Judge.
Plaintiff Patricia Marshall claims that a 2022 cyberattack on Defendant Lamoille Health Partners, Inc. (“Lamoille”) resulted in the compromise of her personal information, and that Lamoille is liable for the resulting harm. Marshall brings this case as a putative class action, alleging that the data breach also impacted approximately 60,000 other individuals.
Pending before the Court is Lamoille's motion to dismiss the Complaint for lack of subject matter jurisdiction, filed pursuant to Federal Rule of Civil Procedure 12(b)(1). Lamoille contends that as a “deemed” employee of the United States Public Health Service it enjoys absolute immunity from Marshall's tort claims, and that the exclusive remedy is a claim against the United States. For the reasons set forth below, Lamoille's motion to dismiss is denied.
Factual Background
Lamoille is an integrated health care provider located in Morrisville, Vermont. The Complaint alleges that in 2022, a targeted cyberattack allowed third-party access to Lamoille's computer system, resulting in the compromise of highly-sensitive patient information. That information reportedly included names, addresses, dates of birth, Social Security numbers, and private medical information. Marshall claims in her Complaint that Lamoille maintained that information in a reckless manner, knew of the risk of a data breach, and failed to take necessary security measures.
Marshall is a past or present patient of Lamoille. As a result of the data breach, she and approximately 60,000 others allegedly suffered damages. Those damages included out-ofpocket costs incurred to remedy or mitigate the effects of the breach, emotional distress, and possible future harm in the form of fraud and/or identity theft. The Complaint asserts causes of action for negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment. Marshall avers that this Court has federal subject matter jurisdiction under the Class Action Fairness Act of 2005, 28 U.S.C. § 1332(d).
Now before the Court is Lamoille's motion to dismiss for lack of subject matter jurisdiction. Lamoille contends that as a federal grant recipient under the Public Health Service Act, it is deemed a Public Health Service employee and is immune from suit. Lamoille further submits that the proper defendant in this case is the United States.
When this lawsuit was filed, Lamoille gave notice to the Office of the General Counsel of the U.S. Department of Health and Human Services and requested that the United States substitute itself as the sole defendant. ECF No. 14-3. On February 1, 2023, the Justice Department informed Lamoille that the United States would “not intervene and substitute itself in place of [Lamoille]” because, in its opinion, this case is not “one ‘for damage for personal injury, including death, resulting from the performance of medical, surgical, dental, or related functions.'” ECF No. 14-3 at 7 (Letter from United States Attorney Nikolas P. Kerest, citing 42 U.S.C. § 233(a)).
Discussion
I. Motion to Dismiss Standard
Under Rule 12(b)(1), “[a] case is properly dismissed for lack of subject matter jurisdiction ... when the district court lacks the statutory or constitutional power to adjudicate it.” Makarova v. United States, 201 F.3d 110, 113 (2d Cir. 2000). The party invoking the Court's jurisdiction bears the burden of establishing that jurisdiction exists. Conyers v. Rossides, 558 F.3d 137, 143 (2d Cir. 2009).
“In resolving a motion to dismiss under Rule 12(b)(1), the district court must take all uncontroverted facts in the complaint (or petition) as true, and draw all reasonable inferences in favor of the party asserting jurisdiction.” Tandon v. Captain's Cove Marina of Bridgeport, Inc., 752 F.3d 239, 243 (2d Cir. 2014). “[T]he court may resolve the disputed jurisdictional fact issues by referring to evidence outside of the pleadings, such as affidavits, and if necessary, hold an evidentiary hearing.” Zappia Middle E. Constr. Co. v. Emirate of Abu Dhabi, 215 F.3d 247, 253 (2d Cir. 2000). While a court “may consider affidavits and other materials beyond the pleadings to resolve the jurisdictional issue, [it] may not rely on conclusory or hearsay statements contained in the affidavits.” J.S. ex rel. N.S. v. Attica Cent. Sch., 386 F.3d 107, 110 (2d Cir. 2004).
II. Statutory Immunity
Lamoille claims that, as a “deemed” employee of the federal Public Health Service, it is immune from suit. There is no dispute that Lamoille was deemed a Public Health Service employee during the relevant time period.
The Federal Tort Claims Act governs tort claim immunity for federal employees generally, while the Public Health Service Act, 42 U.S.C. § 233, as amended by the Federally Supported Health Centers Assistance Act (“FSHCAA”), specifically provides immunity from claims based on “personal injury, including death, resulting from the performance of medical, surgical, dental, or related functions, including the conduct of clinical studies or investigation ....” 42 U.S.C. § 233(a). The FSHCAA expanded this immunity to health centers that are deemed Public Health Service employees under a federal approval process. See 42 U.S.C. § 233(g)-(n). When immunity applies, the health center is entitled to “substitution of the United States as the defendant if [the] suit concerns actions within the scope of [its] employment as a deemed federal employee.” Id. § 233(a). A threshold question is whether Marshall is asserting the sort of “personal injury” covered by the statute. Id. The Complaint alleges several forms of harm, including time and money expended to mitigate the impact of the data breach; diminution in the value of Marshall's private information (which she alleges is a “form of property”); violation of privacy rights; and an imminent threat of identity theft and fraud. ECF No. 1 at 33, ¶¶ 134, 136. None of those harms constitute the sort of “personal injury” that, in the words of the statute, might “includ[e] death.” 42 U.S.C. § 233(a). Instead, the injuries set forth in the Complaint largely constitute either past economic harm in the form of mitigation costs, or future generalized harm resulting from the release and possible misuse of personal information. Marshall does allege emotional distress, which Vermont law has construed as an “injury to the person.” Fitzgerald v. Congleton, 155 Vt. 283, 293 (1990) (applying personal injury statute of limitations to claim for emotional distress). Accordingly, the Complaint arguably asserts at least one claim of personal injury.
The parties dispute whether a single emotional distress claim can trigger absolute immunity for the entire suit. Cf. Hui v. Castaneda, 559 U.S. 799, 806 (2010) (holding that Section 233(a) bars “all actions” against Public Health Service officers for conduct that qualifies under the statute). The Court need not resolve that specific dispute, however, since for reasons set forth below the Court finds that Lamoille's immunity hinges on the next question: whether maintenance of patient information qualifies as “performance of medical, surgical, dental, or related functions” under the FSHCAA. 42 U.S.C. § 233(a).
In support of its argument that maintaining patient records is a “related function” under Section 233(a), Lamoille notes that the federal statute governing health care centers requires “an ongoing quality improvement system that includes clinical services and management, and that maintains the confidentiality of patient records.” 42 U.S.C. § 254b(k)(3)(C). Lamoille also cites the implementing regulations, which require health care centers to provide “appropriate safeguards for confidentiality of patient records.” 42 C.F.R. § 51c.110. When Lamoille applies annually for deemed employee status with the Public Health Service, it attests that it has implemented such safeguards. ECF No. 14-1 at 3-4, ¶ 8 (Affidavit of Stuart G. May, President and Chief Executive of Lamoille).
These federal requirements are undoubtedly designed to help preserve the confidentiality of patient information. Nonetheless, the required safeguards fall largely within the realms of information technology and compliance rather than medical care. Accordingly, their existence does not tip the scale in favor finding that the secure preservation of patient information is a “related function” when compared to the performance of medical, dental, or surgical care.
Marshall urges the Court to limit Section 233(a) to medical care functions. The legislative history cited in the briefing certainly suggests that immunity from medical malpractice claims was a driving force behind the legislation. In Cuoco v. Moritsugu, 222 F.3d 99, 107 (2d Cir. 2000), the Second Circuit recognized immunity beyond medical malpractice, applying Section 233(a) protection to an inmate's claim of inadequate medical care under a “deliberate indifference” standard. Even under that broader standard, however, the focus of the immunity analysis was the provision of medical care. See id. at 108-09 (“Critical to [the doctor's] immunity is the fact that [the] complained of behavior occurred entirely in his capacity as a doctor responsible for, and in the course of rendering medical treatment for, Cuoco.”). Indeed, Cuoco noted that under Section 233(a), “[t]he United States ... in effect insures designated public health officials by standing in their place financially when they are sued for the performance of their medical duties.” Id. at 108 (emphasis supplied). The court also posited that by providing immunity, “[t]he statute may well enable the Public Health Service to attract better qualified persons to perform medical, surgical and dental functions ....” Id.
There is little case law within this Circuit applying Section 233(a) to data security. In Mele v. Hill Health Center, the United States District Court for the District of Connecticut considered a deliberate indifference claim against a defendant for allegedly disclosing confidential medical information to a third-party hospital and a substance abuse foundation. No. 3:06CV455SRU, 2008 WL 160226, at *3 (D. Conn. Jan. 8, 2008). The information included an “exchange” of treatment information that was disclosed “in the course of” Plaintiff's drug treatment program, but allegedly lacked a proper release. Id. at *2-*3. The court identified its task as “determin[ing] whether [plaintiff's] claims arise out of the defendants' performance of their medical duties,” and concluded that the plaintiff's claims did, in fact, “concern the medical functions of providing treatment and the related function of ensuring the privacy of patient medical information.” Id. at *3.
Mele is distinguishable from this case. In Mele, the information was shared in the course of treatment as an exchange of patient information. The court reached its conclusion after narrowing the inquiry to whether the plaintiff's claims arose out of the performance of medical duties. Here, the information in question was part of a broad data breach, was not released in the course of any identified course of treatment, and was not shared in order to further such treatment. Marshall instead alleges a technological failure that resulted in the accidental release of information unrelated to any specific treatment plan. As such, her allegations do not “arise out of the defendants' performance of their medical duties.” Id.
Lamoille relies on a small group of district court cases from outside the Second Circuit, two of which were decided by the same judge. In those latter two cases, the court reasoned that because patients must provide personal information to receive medical services, the unauthorized release of such information by means of a data breach “arose out of [the health care center's] performance of medical or related functions within the scope of its employment as a deemed PHS employee.” Mixon v. CareSouth Carolina, 4:22-cv-269-RBH, 2022 WL 1810615, at *3 (D.S.C. June 2, 2022); Ford v. Sandhills Med. Found., 4:21-cv-2307, 2022 WL 181614, at *4 (D.S.C. June 2, 2022). For support on this point, both cases cite Cuoco. See Mixon, 2022 WL 810615, at *3; Ford, 2022 WL 181614 at *4. Yet Cuoco does not support that conclusion, as the Second Circuit focused its analysis on whether the “complained of behavior occurred ... in the course of rendering medical treatment.” 222 F.3d at 108-09.
Mixon and Ford also highlighted the statutory duties imposed upon health care centers to maintain the confidentiality of patient records. Mixon, 2022 WL 1810615, at *4; Ford, 2022 WL 181614 at *5. As noted above, this Court does not deem the statutory duty to maintain confidential records as weighing in favor of absolute immunity under Section 233(a). This Court also disagrees that receiving personal information from patients necessarily renders the protection of that information, including protection from cyberattack, a “related function” when compared to medical, dental, or surgical care.
The one other case directly addressing immunity for a data breach is Doe v. Neighborhood Healthcare, 3:21-cv-1587, 2022 WL 17663520 (S.D. Cal. Sept. 8, 2022). Doe reviewed Mixon and Ford and found the judge's reasoning in those cases “persuasive.” 2022 WL 17663520, at *7. Doe further found that although maintaining confidential information “was not done in the actual rendering of medical treatment, it is a related function because maintaining confidential personal and health information is necessary to effectively treat patients.” Id. Doe did not explain why employing specific practices and technologies, particularly in relation to possible cyberthreats, qualifies as a “medical, dental, surgical, or related function.”
Several courts have applied Section 233(a) immunity to activities that are “interwoven” with the provision of direct medical care. Goss v. United States, 353 F.Supp.3d 878, 886 (D. Ariz. 2018) (collecting cases). For example, in Teresa T. v. Regaglia, 154 F.Supp.2d 290, 300 (D. Conn. 2001), the court held that a physician's duty to report suspected child abuse was a “related function” because it “add[ed] a required element to the doctor's evaluation of his patient” and was “inextricably woven into his performance of medical functions.” In Houck v. United States, 1:19-cv-2038, 2020 WL 7769772, at *2 (D.S.C. Dec. 30, 2020), the court found immunity under Section 233(a) for a health care center's review of professional credentials and claims histories, particularly where the facility had knowledge of a doctor's elicit conduct with patients. See also Brignac v. United States, 239 F.Supp.3d 1367, 1377 (N.D.Ga. 2017) (concluding that a “negligent hiring and retention claim is a ‘related function' to the provision of medical services” because defendant medical care facility was required by the FSHCAA to vet physicians). In each of those cases, the “related function” was directly “interwoven” with the caregiver's provision of medical care.
This case is different. Here, Marshall is claiming that Lamoille failed to provide adequate cybersecurity. Specifically, the Complaint alleges that Lamoille knew the risks of a cyberattack, failed to “take steps necessary to secure the Private Information from those risks,” and “failed to properly monitor the computer network and IT systems that house the Private Information.” ECF No. 1 at 2, ¶¶ 4-5. The Complaint further alleges that Lamoille “could have prevented this Data Breach by properly encrypting or otherwise protecting their equipment and computer files containing Private Information.” Id. at 10, ¶ 50. The Complaint cites Federal Trade Commission guidelines for businesses, which reportedly recommend security safeguards including information encryption; the use of intrusion detection systems; monitoring incoming traffic; implementing industry-standard security methods; and developing a response plan in the event of a breach. Id. at 14, ¶¶ 63, 64. Marshall claims that Lamoille failed to adhere to such industry best practices, and that it is therefore liable for the resulting data breach.
None of these technology-related activities were “interwoven” with the provision of medical care. They instead consisted of security-related work by information technology and compliance personnel in a health care setting. That the data in question included personal patient information is not dispositive. It is the nature of the “function” that is at issue, and the Court finds the technology-specific allegations in this case do not include “medical, dental, surgical, or related functions” as required for immunity under the FSHCAA. Accordingly, Lamoille's motion to dismiss for lack of subject matter jurisdiction is denied.
Conclusion
For the reasons set forth above, Lamoille's motion to dismiss this case for lack of subject matter jurisdiction (ECF No. 14) is denied.