4th Cir.: Ford v. Sandhills Medical- Data Breach not Related To Protections for the Provision of Medical Services

By Ed Boltz, 15 April, 2024

Summary:

Ford brought claims against Sandhills for negligence, breach of implied contract, invasion of privacy, and breach of confidentiality due to the mishandling of her personally identifying information (PII). This information was stolen from a third-party computer system used by Sandhills in a cyberattack. Ford's lawsuit stemmed from her concerns about the misuse of her stolen data, which was used to fraudulently apply for a loan in her name.

Sandhills argued that they were immune from the lawsuit under 42 U.S.C. § 233(a), which provides immunity for entities performing “medical, surgical, dental, or related functions.” They claimed that the storage and protection of PII were part of these related functions because the data was collected as a condition of providing medical treatment. The district court accepted this argument and granted immunity to Sandhills, substituting the United States as the defendant, which led Ford to appeal the decision.

The United States Court of Appeals vacated and remanded the district court's decision. The appellate court concluded that Sandhills' data security practices did not constitute a "related function" under the law because these functions must be closely associated with the delivery of medical, surgical, or dental services. Since the mishandling of PII occurred in a data breach by a third party and was not directly related to the provision of healthcare services, § 233(a) did not apply. The court noted that treating data security as a related function would overly broaden the scope of the statute and could lead to misuse of the immunity provision.

Commentary:

While most of the medical creditors in North Carolina (and hopefully nationwide)  seem to have learned the sometimes costly lesson that the disclosure of PII,  medical or otherwise,  in Proofs of Claim filed in bankruptcy cases is improper,  this case does reject the immunity argument.  By looking at whether data security practices are a "related function"  to providing  protected medical services,  this decision could also be used to narrow the "learned profession" to North Carolina debt collection restrictions.  

To read a copy of the transcript, please see:

Blog comments

ford_v._sandhills.pdf (191.96 KB)
Category
4th Circuit Court of Appeals
v. 1.2.2, © 2013-2025 ncbankruptcyexpert.com, all rights reserved.