Recently, a second federal Court of Appeals held that 42 U.S.C. § 233, a provision of the Public Health Service Act relating to Federal Tort Claims Act (FTCA) protection, does not provide immunity for claims arising from a health center’s allegedly deficient cybersecurity practices.

The decision from the U.S. Court of Appeals for the Eighth Circuit came on top of a similar ruling by the U.S. Court of Appeals for the Fourth Circuit, which held that § 233(a) coverage is limited to “field[s] of health care” and does not extend to other activities that are “proper for a federally funded health center,” such as data security. [1]

Although several lower federal courts in California and New York have applied § 233(a) in data breach litigation—substituting the United States as the defendant in place of the health center—no federal appellate court has ruled in favor of health centers on this issue.

Accordingly, even when a health center has been “deemed” a Public Health Service employee by the U.S. Department of Health and Human Services (HHS), there remains a significant risk that this deemed status and the corresponding FTCA immunity will not extend to data breach litigation.

In light of the Eighth Circuit’s recent decision, separate cyber liability insurance sufficient to cover potential claims is strongly advisable, particularly because any expansion of FTCA coverage to include cybersecurity incidents would likely take years to occur.[2]

Increasing Cyber Litigation Risk for Health Centers

Data breach litigation has increased in both frequency and severity, including class action lawsuits in which health centers are named as defendants alongside third-party vendors and billing contractors. Given this trend, we strongly encourage all clients to review their current cyber liability insurance coverage or consider obtaining a policy if they have not already done so.

For Federally Qualified Health Centers (FQHCs), we recommend consulting with a broker experienced in health care cyber risk to evaluate a standalone cyber liability policy, rather than relying solely on a rider attached to a general liability or professional liability policy. Such coverage should include protection for both first-party losses and third-party liability. First-party coverage typically includes costs associated with breach notification, forensic investigations, business interruption, and ransomware response. Third-party liability coverage should address defense costs, settlements, and regulatory fines arising from claims involving patient data.

Given the volume of protected health information (PHI) handled by FQHCs and the litigation exposure demonstrated by recent class actions, coverage limits of at least $1–5 million (or higher) are worth discussing with your broker. Health centers should also confirm whether their policy covers vendor or contractor incidents, particularly where the health center may be named as a co-defendant even if it was not the source of the breach.

Allowability of Cyber Insurance Under Federal Grant Rules

Keep in mind that under the Uniform Grants Guidance, insurance costs are generally allowable and may be charged to federal grant awards. If the type of insurance a grantee seeks to obtain is not specified in the Notice of Award, its purchase should be made pursuant to established written policies and sound business practices. Accordingly, purchasing a cyber liability policy should be accompanied by a review of the health center’s written policies, procedures and internal systems.

Recommended Action Steps for Health Centers

We recommend health centers do the following: 

• Contact several reputable insurance brokers familiar with health care organizations to assess and evaluate cyber liability coverage options and pricing
• Review written policies and procedures—including insurance and procurement policies—to ensure that the purchase of cyber liability coverage is consistent with internal policies and with the Uniform Guidance requirements, particularly if the cost will be charged to federal grant awards
• Conduct regular risk assessments of their cybersecurity and data protection systems, including email protection measures, access management processes, network management, and incident response planning such as tabletop exercises and downtime procedures
• Review organizational training programs to ensure staff receive appropriate instruction on HIPAA compliance, emergency operations in the event of a cyberattack, investigation procedures, and incident reporting processes, including HIPAA breach notification requirements
• Evaluate potential and actual cybersecurity implications of the use of artificial intelligence (AI) by the organization and its workforce
• Update written policies and procedures and ensure that all cybersecurity, privacy, and risk management activities are properly documented, as such documentation may be required when applying for or renewing cyber insurance coverage

[1] Ford v. Sandhills Medical Center, Inc. (4th Cir. 2024) and Hale v. ARcare, Inc. (8th Cir. 2026). The Fourth Circuit covers Maryland, North Carolina, South Carolina, Virginia, and West Virginia. States covered by the Eighth Circuit include Arkansas, Iowa, Minnesota, Missouri, Nebraska, North Dakota, and South Dakota.

[2] In cases where a health center seeks to litigate the issue of its Section 233(a) coverage, its cyber insurance carrier may also be willing to pay some or all of the costs of that litigation, depending on the terms of the applicable insurance policy.