SAN DIEGO (LN) — A federal judge on Tuesday granted a motion to remand a putative class action involving a healthcare provider’s data breach to state court, ruling that the defendant’s electronic storage of patient information does not qualify for federal officer removal or immunity under the Federally Supported Health Centers Assistance Act.
U.S. District Judge Anthony Battaglia, writing for the court, determined that the defendant, Imperial Beach Community Clinic, failed to establish federal subject matter jurisdiction under either 42 U.S.C. § 233(a) or 28 U.S.C. § 1442(a)(1).
The case originated in the Superior Court of California for the County of San Diego, where plaintiff Mark Jessie Ramirez filed a complaint alleging negligence, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and violations of the California Confidentiality of Medical Information Act and Unfair Competition Law. Ramirez accused the clinic of failing to properly safeguard patients’ personal information stored in its information network.
The clinic removed the action to federal court in March 2026, arguing it was immune from suit under § 233(a) because the data breach stemmed from the performance of “medical, surgical, dental, or related functions.” The statute provides that the exclusive remedy for damages resulting from such functions by employees of the U.S. Public Health Service is a claim against the United States under the Federal Tort Claims Act.
The court rejected this argument, holding that the electronic storage of personal identifying information is not a “medical, surgical, dental, or related function” within the meaning of the statute.
Judge Battaglia distinguished the duty to maintain data security of medical professionals to maintain confidentiality in their practice. The court noted that while data security is integrated into modern medicine, it is not itself a field of health care.
“The duty to maintain the security of stored data is therefore not ‘intertwined’ with medical treatment,” the court wrote, contrasting the case with prior rulings where failures to report patient compliance with treatment plans were found to be related to medical services.
The ruling aligns with recent decisions from the Fourth and Eighth Circuits, which have similarly held that § 233 immunity does not cover data breaches. The Fourth Circuit in Ford v. Sandhills Medical Foundation, Inc. stated that the term “related functions” explicitly encompasses only the provision of health care, while the Eighth Circuit in Hale v. ARcare, Inc. concluded that data security is not a field of health care outside of medicine, surgery, or dentistry.
The court also ruled that removal under the general federal officer removal statute, § 1442(a)(1), was improper. To qualify for removal under this statute, a defendant must demonstrate a causal nexus between its actions and a federal officer’s directions, and assert a colorable federal defense.
Because the court found that § 233 immunity did not apply, the defendant lacked a colorable federal defense. Additionally, the court found that managing a network storing medical patients’ data did not constitute acting under a federal officer’s directions, noting that complying with federal laws and regulations alone does not trigger federal officer removal.
The court’s order affects three other related cases against the same defendant pending in the Southern District of California. The judge stated that orders remanding those actions would be entered pursuant to a joint motion.
The clerk of court was directed to close the case.