Ford v. Sandhills Medical Foundation, Inc., No. 22-2268 (4th Cir. 2024)
Annotate this Case
The United States Court of Appeals for the Fourth Circuit ruled on a case involving a plaintiff, Joann Ford, and a healthcare provider, Sandhills Medical Foundation, Inc. Ford, a former patient of Sandhills, alleged negligence, breach of implied contract, invasion of privacy, and breach of confidentiality against Sandhills for failure to protect her personally identifying information (PII). Her PII was stolen from Sandhills' third-party computer system in a cyberattack after she had ceased being a patient.
The district court had previously granted Sandhills immunity from the suit, concluding that the theft of Ford's PII arose out of Sandhills' performance of “medical, surgical, dental, or related functions,” as per 42 U.S.C. § 233(a), thus substituting the United States as the defendant. However, the Fourth Circuit Court disagreed with the lower court's interpretation of § 233(a).
The appellate court determined that data security does not fall under a “related function” within the meaning of the statute. The court emphasized that § 233(a) immunity applies when alleged damages arise from the provision of healthcare, which was not the case here. Ford’s injury did not arise from Sandhills’ provision of healthcare, but from a data security breach that occurred at least a year after she ceased being a patient at Sandhills.
Therefore, the court concluded that Sandhills was not immune from the suit under § 233(a) and that the United States could not be substituted as the defendant. The case was vacated and remanded for further proceedings.
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.