HALE v. United States of America, Amicus on Behalf of Appellee(s) (2026)

ARcare, Inc. (“ARcare”) is a nonprofit community health center with facilities across Arkansas, Kentucky, and Mississippi. ARcare receives funding under the federal Public Health Service Act (“PHSA”) to provide primary care and related services to communities designated as “medically underserved” by the Department of Health and Human Services. See 42 U.S.C. § 254b. In the Federally Supported Health Centers Assistance Act (“FSHCAA”), Congress granted absolute immunity to health centers receiving PHSA funding “for damage for personal injury, including death, resulting from the performance of medical, surgical, dental, or related functions.” 42 U.S.C. § 233(a) (emphasis added). Congress determined that federally funded health centers were spending too much of their PHSA grants on medical malpractice insurance premiums and sought to “essentially make[ ] the U.S. government the medical malpractice insurer for qualifying § 245(b) health centers” and their employees. Dedrick v. Youngblood, 200 F.3d 744, 745 (11th Cir. 2000); see H.R. Rep. No. 102-823, pt. 1, at 3-5, pt. 2, at 4 (House Judiciary Committee 1992); H.R. Rep. No. 104-398, at 6 (House Commerce Committee 1995).

The issue in this case is whether this absolute statutory immunity extends to patient damage actions for losses caused when an unauthorized third party breached ARcare's data network and gained access to patients' confidential information. The district court ¹ concluded that ARcare is not immune from these suits because protecting confidential patient information is not “the performance of medical, surgical, dental, or related functions” under § 233(a). ARcare appeals. Reviewing the issue of statutory immunity de novo, we conclude the district court correctly interpreted the FSHCAA provisions at issue and therefore affirm. SeeLetterman v. Does, 859 F.3d 1120, 1125 (8th Cir. 2017) (standard of review).

I. Background

In January and February 2022, an unauthorized third party breached ARcare's data network and gained access to patients' confidential information, including names, dates of birth, social security numbers, and medical treatment and diagnosis information. After learning of the network breach, ARcare notified current and former patients that their confidential information had been accessed without authorization. Many affected patients sued. ARcare removed the actions to federal court. After the district court consolidated six pending class action cases on March 1, 2023, Plaintiffs filed a Consolidated Complaint alleging ARcare failed to safeguard class members' personal information as required by the federal Health Insurance Portability and Accountability Act (“HIPAA”) and its implementing regulations. Plaintiffs allege they received invoices for medical services never rendered and discovered their confidential information available for sale on the dark web.

ARcare claims absolute immunity from these claims under § 233(a) of the FSHCAA. Section 233(g) provides that health centers receiving federal funding under § 330 of the PHSA may be deemed Public Health Service (“PHS”) employees and are granted immunity from, inter alia, claims that result from the PHS employee's “performance of medical, surgical, dental, or related functions.” It is undisputed that ARcare was a deemed PHS employee during the relevant time period. For entities deemed PHS employees, “Section 233(a) makes the FTCA remedy against the United States ‘exclusive of any other civil action or proceeding’ for any personal injury caused by a PHS officer or employee performing a medical or related function ‘while acting within the scope of his office or employment.’ ” Hui v. Castaneda, 559 U.S. 799, 802, 130 S.Ct. 1845, 176 L.Ed.2d 703 (2010). Accordingly, ARcare moved to substitute the United States as defendant under the Federal Tort Claims Act. The United States had previously declined ARcare's request to intervene and opposed the motion to substitute.

The district court initially held that § 233 permits a court to order substitution of the United States over its objection, citing district court decisions from other circuits on an issue we have not addressed. Without moving to intervene and filing a cross-appeal, the United States filed a Brief for the United States as Amicus Curiae in support of appellees in which it argues, at the end of the brief, that “Section 233 Does Not Provide Authority to Compel Substitution of the United States,” citing no supporting judicial authority on this FSHCAA issue. ARcare argues the issue is not properly before us, noting the established rule that even an appellee may not attack a decree to enlarge its own rights absent a cross-appeal. We agree and therefore decline to consider the issue, which in any event would not affect the disposition of this appeal.

On the merits of the motion to substitute, the district court surveyed judicial decisions applying § 233(a) and concluded (i) that the data breach did not occur “during the course of medical treatment within the context of the provider-patient relationship,” and (ii) that the nexus between protecting patient information from cyber attacks and the provision of patient care was not close enough to render ARcare's failure to protect patient information from this cyber attack a “related function.” Therefore, ARcare is not entitled to the claimed statutory immunity. We have jurisdiction over this interlocutory appeal. See Hui, 559 U.S. at 804 n.4, 130 S.Ct. 1845. The United States appears as amicus curiae on behalf of plaintiff-appellees in support of the district court's denial of immunity. The merits of Plaintiffs' claims against ARcare are not before us.

II. Discussion

On appeal, ARcare does not contend that safeguarding patient information is itself a medical, surgical, or dental function, so the applicability of § 233(a) absolute immunity turns on whether ARcare's data security practices are “related functions.” ARcare argues that the “broad” and “unqualified” language of § 233(a) provides “comprehensive” immunity for deemed employees that is not limited to acts and omissions occurring during medical treatment. ARcare argues Krandle v. Refuah Health Center, Inc., No. 22-CV-4977, 2024 WL 1075359 (S.D.N.Y. Mar. 12, 2024), published a few days after the district court's Order being appealed, and Friedenberg v. Lane Cnty., 68 F.4th 1113 (9th Cir. 2023), which the district court distinguished, are persuasive authority for its interpretation of “related functions.” Appellees urge us to follow the Fourth Circuit's more recent decision in Ford v. Sandhills Med. Found., Inc., which held that § 233(a) immunity did not shield a nonprofit health center from liability following a cyber attack similar to the one that ARcare sustained. 97 F.4th 252, 254 (4th Cir. 2024), cert. denied, ––– U.S. ––––, 145 S. Ct. 1308, 221 L.Ed.2d 395 (2025).

In Krandle, the court concluded that § 233(a) covered a data breach of a New York nonprofit health center's systems. “Medical,” “surgical,” and “dental” are “adjectives that pertain or relate to treatment,” but “they are not exclusively defined by treatment.” 2024 WL 1075359 at *4. The broad term “related” requires only “a real relationship to the practice of medicine,” and the health center's “responsibility to secure data from internal and external threats ․ is essential to the practice of medicine.” Id. at *5, 9. Friedenberg involved a damage claim for the failure by a community health center's employees to report a patient's violations of his court-ordered treatment plan. The Ninth Circuit held that the employees were entitled to § 233(a) immunity because “[t]he statutory text clearly shows that immunity is not tied to whether the tort transpired in caring for the patient. Rather ․ as long as a claim is derived from providing services to subjects of the health care provider, the deemed PHS employee is immune from suit.” 68 F.4th at 1127 (emphasis removed). The employees' failure to report was sufficiently “intertwined with their provision of medical services” to qualify as a “related function.” Id. at 1130.²

In Ford, on which Appellees rely, the Fourth Circuit held that a nonprofit health center was not immune from liability under § 233(a) following a cyber attack similar to the one at issue. The plain meaning of “related functions,” the court concluded, is a category in the field of health care outside of medicine, surgery, or dentistry, the terms that precede “related functions” in § 233(a). 97 F.4th at 259. Therefore, “to trigger immunity, alleged damages giving rise to a lawsuit must arise from the provision of health care.” Id. at 260. Data protection is not the performance of an action taken in the course of rendering treatment; the health center retains the relevant data even after the patient relationship ends. Therefore, the health center's argument that § 233(a) applies to any action patients take to obtain medical care, such as providing confidential health information, “would shield [the center] from any and all claims despite their lack of relation to their treatment.” Id. at 260-61.

We conclude the Fourth Circuit's interpretation of § 233(a) in Ford is more persuasive than the authorities on which ARcare relies. The FSHCAA does not define “related functions” or any of the terms at issue, so we begin with the text of § 233(a), interpreting the words “consistent with their ordinary meaning at the time Congress enacted the statute.” Wisconsin Cent. Ltd v. United States, 585 U.S. 274, 277, 138 S.Ct. 2067, 201 L.Ed.2d 490 (2018) (cleaned up). We first “determine whether the language at issue has a plain and unambiguous meaning with regard to the particular dispute ․ by reference to the language itself, the specific context in which that language is used, and the broader context of the statute as a whole.” LaCurtis v. Express Med. Transporters, Inc., 856 F.3d 571, 578 (8th Cir. 2017), quoting Robinson v. Shell Oil Co., 519 U.S. 337, 340-41, 117 S.Ct. 843, 136 L.Ed.2d 808 (1997). “If the intent of Congress can be clearly discerned from the statute's language, the judicial inquiry must end.” United States v. Lester, 92 F.4th 740, 742 (8th Cir. 2024) (cleaned up). But when a provision “is susceptible to more than one interpretation, we examine other authorities to determine legislative intent.” Stanley v. Cottrell, Inc., 784 F.3d 454, 466 (8th Cir. 2015).

When the words in a phrase are broad and indeterminate, such as “relating to,” “context ‘may tug in favor of a narrower reading.’ ” Barcomb v. Gen. Motors LLC, 978 F.3d 545, 550 (8th Cir. 2020) (quotation omitted). The context here is the use of general language following a list of three specific functions. As the Supreme Court recently explained:

One way to discern the reach of [such a] clause is to look for guidance from whatever examples come before it. Two general principles are relevant. First, the canon of noscitur a sociis teaches that a word is given more precise content by the neighboring words with which it is associated․ And under the related canon of ejusdem generis, a general or collective term at the end of a list of specific items is typically controlled and defined by reference to the specific classes that precede it.

Fischer v. United States, 603 U.S. 480, 487, 144 S.Ct. 2176, 219 L.Ed.2d 911 (2024) (cleaned up); see Christopherson v. Cinema Enter. Corp., 161 F.4th 525, 528 (8th Cir. 2025).

Related is generally defined as “connected by reason of an established or discoverable relation,” Webster's Third New International Dictionary (1968), or “associated; connected” and “allied by nature,” The American College Dictionary (1970). Function is defined as “the action for which a person or thing is specially fitted, used, or responsible or for which a thing exists,” Webster's, and as “the kind of action or activity proper to a person, thing, or institution,” The American College Dictionary. Thus, in the context of § 233(a), related functions are activities having similar characteristics or that are specially fitted to the preceding enumerated categories of medical, surgical, or dental functions.

We agree with the court in Ford that the adjectives medical, surgical, and dental each describe a branch of health care. Therefore, applying the relevant canons of statutory construction, a related function is “a field of health care outside of medicine, surgery, or dentistry.” 97 F.4th at 259. Although data security is now integrated into the modern practice of medicine with the transition to electronic medical records, it is not itself a field of health care. Data storage and security are standard modern business practices and are therefore activities proper for a federally funded health center, but they are neither specific to the medical field nor “specially fitted” to the performance of medical, surgical, or dental practices.

The text preceding and following “related functions” in § 233(a) provides additional support for this interpretation. The statutory immunity applies only to claims “for damage for personal injury, including death, resulting from the performance of medical, surgical, dental, or related functions.” Personal injury is “an injury affecting one's physical and mental person as contrasted with one causing damage to one's property.” Webster's Third New International Dictionary (1968). In this context, the terms are most naturally read to encompass damages resulting from substandard performance in the provision of health care. Interpreting a claim for damages from wrongful disclosure of patient information as a personal injury claim “may improperly broaden § 233(a) to encompass misfeasance that results in other types of damages, such as contract damages.” Ford, 97 F.4th at 260.

ARcare argues that the statute's application to claims “resulting from the performance of medical ․ or related functions” requires only “that the action in some way originates in, stems from, or is a consequence of the deemed defendant's performance of medical or related functions.” But the term “related functions” serves to clarify the scope of an immunity whose meaning is cabined by the preceding adjectives medical, surgical, and dental. Section 233(a) does not broadly cover claims originating from the performance of any hospital function, only from performance of some activity specially fitted to the performance of health care. ARcare's reading offers no limiting principle. Almost any task a hospital employee completes could be characterized as stemming or originating from a hospital function. Here, plaintiffs did not even allege they remained patients of ARcare at the time of the data breach. Some of their claims may loosely relate to past treatment but they did not arise from any actions taken by ARcare in the course of medical treatment.

As a second contextual clue, Congress in § 233(a) clarified that related functions include “the conduct of clinical studies or investigation.” The word “clinical,” which is defined as “concerned with observation and treatment of disease in the patient,” The American College Dictionary (1970), further reflects a focus on the provision of health care. By contrast, the meaning of “related functions” urged by ARcare includes any duties that are merely “interwoven” with medical care, such as administrative and operational ones. ARcare suggests that this reference to clinical studies and investigation calls for a broader interpretation of “related functions” because 42 U.S.C. § 241, which governs PHS research and investigations, also references non-medical categories -- “water purification, sewage treatment, and pollution of lakes and streams.” However, § 233(a) does not reference § 241 in delineating what qualifies as “clinical studies or investigation.” In context, clinical studies and investigation exemplify what is included in the limited subset of “medical, surgical, dental, or related functions.”

ARcare looks to other statutory language to support its interpretation of § 233(a). Because § 233(a) applies to “any other civil action or proceeding” and extends immunity to “any commissioned officer or employee of the Public Health Service while acting within the scope of his office or employment,” ARcare argues its scope cannot be limited to claims arising from the provision of health care services. But the reference to “any other civil action or proceeding” reflects the broad scope of the grant of immunity when § 233 does in fact apply, which is limited by the meaning of the phrase “medical ․ or related functions.” ARcare rightly notes that “any commissioned officer or employee” means the related function need not be performed by a physician, surgeon, or dentist, and that § 233(g)(1)(A) grants immunity to federally funded health center entities and “any officer ․ or employee.” However, Congress anticipated that persons involved in providing health care who are not physicians, surgeons, or dentists, and board members and administrators overseeing the provision of health care in a hospital, are named in medical malpractice suits and warrant this grant of immunity.

ARcare also argues that reading § 233(a) to cover actions resulting from the provision of health care renders the “related functions” language superfluous, contrary to proper statutory interpretation. See, e.g., Ysleta Del Sur Pueblo v. Texas, 596 U.S. 685, 698-99, 142 S.Ct. 1929, 213 L.Ed.2d 221 (2022). But appellees and the United States as amicus curiae note functions that are not medical, surgical, or dental but are sensibly characterized as related to those categories, such as physical therapy and pharmacy. Under our reading of the plain language, the term “related functions” is not superfluous.

Based on the plain meaning of the statutory text, confirmed by the statutory context reflected in the legislative history of the PHSA and the FSHCAA, we agree with Appellees that § 233(a) does not confer immunity for claims concerning ARcare's data security practices. Congress did not intend that the government (i.e., taxpayers) bear the cost of subsidizing health centers for types of insurable business expenses that are not part of “a field of health care outside of medicine, surgery, or dentistry,” like the damage claims at issue in this case. For the foregoing reasons, we affirm the district court's denial of ARcare's motion to substitute the United States.

FOOTNOTES

1.   The Honorable Brian S. Miller, United States District Judge for the Eastern District of Arkansas.

2.   The district court noted that Friedenberg, like other cases applying § 233(a) immunity to claims for failure to protect private information, “involve[d] conduct that occurred during the course of medical treatment within the context of the provider-patient relationship.”

LOKEN, Circuit Judge.