Aleuta v. Community Clinic of Maui, Inc.
This text of Aleuta v. Community Clinic of Maui, Inc. (Aleuta v. Community Clinic of Maui, Inc.) is published on Counsel Stack Legal Research, covering District Court, D. Hawaii primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.
Opinion
IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF HAWAI‘I
IN RE COMMUNITY CLINIC OF MAUI Civil No. 24-00431 MWJS-WRP DATA BREACH LITIGATION (Applies to Removed Consolidated Cases: 25-cv-00030; 25-cv-00031; 25-cv-00032; 25-cv-00033)
ORDER GRANTING NON-PARTY THE
UNITED STATES’S MOTION TO
REMAND
INTRODUCTION In May 2024, the Community Clinic of Maui, Inc., doing business as Malama I Ke Ola Health Center, experienced a cyberattack. Thousands of patients’ personal data were stolen. A number of lawsuits arose from the incident, several of which were filed in state court. Although those cases raised only state law claims, Malama notified the United States that it believed it was entitled to immunity and to removal to federal court based on its receipt of federal funding under the Federally Supported Health Centers Assistance Act (FSHCAA). The United States generally agreed that Malama was deemed a federal employee for the relevant time period. But it disclaimed that Malama was deemed an employee specifically with respect to the cybersecurity incident at hand. Malama nonetheless removed the cases to this court. Before the court is a motion, filed by the United States, to remand these cases to state court on the basis that Malama is not authorized to remove these cases to federal court under the FSHCAA, see 42 U.S.C. § 233(l)(2), or under the general federal officer removal statute, see 28 U.S.C. § 1442. For the reasons explained below, the court agrees
on both points. The United States’s motion is therefore GRANTED, and the removed cases are REMANDED to state court. BACKGROUND
A. The Federally Supported Health Centers Assistance Act Malama is a federally funded community health center. ECF No. 1, at PageID.2.1 Under the Public Health Service Act, the federal government may extend “grants for the
costs of the operation of public and nonprofit private health centers that provide health services to medically underserved populations.” 42 U.S.C. § 254b(e)(1)(A). An amendment to that Act, the FSHCAA, minimizes costs for these health centers in another way: Under the FSHCAA, federally funded health centers and their employees
can be “deemed” federal employees of the U.S. Public Health Service (PHS) “for the purposes of malpractice liability.” Blumberger v. Tilley, 115 F.4th 1113, 1117 (9th Cir. 2024) (citing 42 U.S.C. § 233(g)). If approved for FSHCAA protections, the health
centers and their employees benefit from the same immunity as true PHS employees. Friedenberg v. Lane County, 68 F.4th 1113, 1126-28 (9th Cir. 2023) (citing 42 U.S.C. § 233(g)(1)(A)). That is, the general principle that the United States “may not be sued
1 Except where otherwise specified, all docket citations in this order refer to the docket in No. 25-cv-00030, Fred Curimao v. Community Clinic of Maui, Inc. without its consent” and the United States’s limited consent to suit under the Federal Tort Claims Act (FTCA) both apply to the health centers enjoying FSHCAA immunity.
Id. at 1124 (quoting United States v. Mitchell, 463 U.S. 206, 212 (1983)). The practical consequence is that FTCA actions against the United States become the exclusive remedy for medical malpractice suits that would otherwise be brought against the
health centers or their employees for “actions taken within the scope of their employment.” Blumberger, 115 F.4th at 1117 (citing 42 U.S.C. § 233(a), (g)(1)(A)). This immunity prevents the “health centers from having to use their federal funds to
purchase costly medical malpractice insurance, which is one of the most significant expenses for health centers.” Friedenberg, 68 F.4th at 1124-25 (cleaned up). To be eligible for these federal protections, health centers must annually apply to the U.S. Department of Health and Human Services (HHS). See 42 U.S.C. § 233(g)(1)(A),
(D). Health centers approved by the Secretary of HHS are deemed “employees” of PHS for that limited purpose. Id. § 233(g)(1)(A). The Secretary’s determination is “final and binding upon the Secretary and the Attorney General.” Id. § 233(g)(1)(F). The
Secretary’s “deeming decision, however, does not automatically immunize a covered entity or employee from” any particular suit. Blumberger, 115 F.4th at 1118. Instead, to be eligible for FTCA immunity, the suit must be for “damage for personal injury, including death, resulting from the performance of medical, surgical, dental, or related
functions, including the conduct of clinical studies or investigation.” 42 U.S.C. § 233(a). And the “‘act or omission giving rise to the claim’ must also have occurred while the defendant was ‘acting within the scope of [their] office or employment.’” Blumberger,
115 F.4th at 1118 (brackets omitted) (quoting 42 U.S.C. § 233(a)). When a medical malpractice suit is filed against a federally supported health center or its employee, courts must therefore determine whether the defendant was “acting within the scope
of” their employment with PHS such that an FTCA claim against the United States itself is the exclusive remedy. Id. (quoting 42 U.S.C. § 233(a)). To assist courts with this determination, federal law directs the U.S. Attorney
General to appear in cases brought against federally supported health centers or their personnel and to certify whether the “entity, officer, governing board member, employee, or contractor of the entity is deemed to be an employee of the Public Health Service” for the purposes of the FSHCAA “with respect to the actions or omissions that
are the subject of such civil action or proceeding.” 42 U.S.C. § 233(l)(1). This appearance must be made within fifteen days of receiving notice of an action against a deemed employee. Id. If the Attorney General answers in the affirmative, the employee
is presumed to be acting within the scope of their employment, Blumberger, 115 F.4th at 1131, and the Attorney General “shall” remove the case to federal court, 42 U.S.C. § 233(c). The federal court may then, upon a motion to remand, hold a hearing as to whether the deemed employee was indeed acting within the scope of their employment
at the time of the malpractice. Blumberger, 115 F.4th at 1119; 42 U.S.C. § 233(c). The statute contemplates that the Attorney General might fail to appear within the prescribed fifteen days. Blumberger, 115 F.4th at 1119. If the Attorney General fails
Free access — add to your briefcase to read the full text and ask questions with AI
IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF HAWAI‘I
IN RE COMMUNITY CLINIC OF MAUI Civil No. 24-00431 MWJS-WRP DATA BREACH LITIGATION (Applies to Removed Consolidated Cases: 25-cv-00030; 25-cv-00031; 25-cv-00032; 25-cv-00033)
ORDER GRANTING NON-PARTY THE
UNITED STATES’S MOTION TO
REMAND
INTRODUCTION In May 2024, the Community Clinic of Maui, Inc., doing business as Malama I Ke Ola Health Center, experienced a cyberattack. Thousands of patients’ personal data were stolen. A number of lawsuits arose from the incident, several of which were filed in state court. Although those cases raised only state law claims, Malama notified the United States that it believed it was entitled to immunity and to removal to federal court based on its receipt of federal funding under the Federally Supported Health Centers Assistance Act (FSHCAA). The United States generally agreed that Malama was deemed a federal employee for the relevant time period. But it disclaimed that Malama was deemed an employee specifically with respect to the cybersecurity incident at hand. Malama nonetheless removed the cases to this court. Before the court is a motion, filed by the United States, to remand these cases to state court on the basis that Malama is not authorized to remove these cases to federal court under the FSHCAA, see 42 U.S.C. § 233(l)(2), or under the general federal officer removal statute, see 28 U.S.C. § 1442. For the reasons explained below, the court agrees
on both points. The United States’s motion is therefore GRANTED, and the removed cases are REMANDED to state court. BACKGROUND
A. The Federally Supported Health Centers Assistance Act Malama is a federally funded community health center. ECF No. 1, at PageID.2.1 Under the Public Health Service Act, the federal government may extend “grants for the
costs of the operation of public and nonprofit private health centers that provide health services to medically underserved populations.” 42 U.S.C. § 254b(e)(1)(A). An amendment to that Act, the FSHCAA, minimizes costs for these health centers in another way: Under the FSHCAA, federally funded health centers and their employees
can be “deemed” federal employees of the U.S. Public Health Service (PHS) “for the purposes of malpractice liability.” Blumberger v. Tilley, 115 F.4th 1113, 1117 (9th Cir. 2024) (citing 42 U.S.C. § 233(g)). If approved for FSHCAA protections, the health
centers and their employees benefit from the same immunity as true PHS employees. Friedenberg v. Lane County, 68 F.4th 1113, 1126-28 (9th Cir. 2023) (citing 42 U.S.C. § 233(g)(1)(A)). That is, the general principle that the United States “may not be sued
1 Except where otherwise specified, all docket citations in this order refer to the docket in No. 25-cv-00030, Fred Curimao v. Community Clinic of Maui, Inc. without its consent” and the United States’s limited consent to suit under the Federal Tort Claims Act (FTCA) both apply to the health centers enjoying FSHCAA immunity.
Id. at 1124 (quoting United States v. Mitchell, 463 U.S. 206, 212 (1983)). The practical consequence is that FTCA actions against the United States become the exclusive remedy for medical malpractice suits that would otherwise be brought against the
health centers or their employees for “actions taken within the scope of their employment.” Blumberger, 115 F.4th at 1117 (citing 42 U.S.C. § 233(a), (g)(1)(A)). This immunity prevents the “health centers from having to use their federal funds to
purchase costly medical malpractice insurance, which is one of the most significant expenses for health centers.” Friedenberg, 68 F.4th at 1124-25 (cleaned up). To be eligible for these federal protections, health centers must annually apply to the U.S. Department of Health and Human Services (HHS). See 42 U.S.C. § 233(g)(1)(A),
(D). Health centers approved by the Secretary of HHS are deemed “employees” of PHS for that limited purpose. Id. § 233(g)(1)(A). The Secretary’s determination is “final and binding upon the Secretary and the Attorney General.” Id. § 233(g)(1)(F). The
Secretary’s “deeming decision, however, does not automatically immunize a covered entity or employee from” any particular suit. Blumberger, 115 F.4th at 1118. Instead, to be eligible for FTCA immunity, the suit must be for “damage for personal injury, including death, resulting from the performance of medical, surgical, dental, or related
functions, including the conduct of clinical studies or investigation.” 42 U.S.C. § 233(a). And the “‘act or omission giving rise to the claim’ must also have occurred while the defendant was ‘acting within the scope of [their] office or employment.’” Blumberger,
115 F.4th at 1118 (brackets omitted) (quoting 42 U.S.C. § 233(a)). When a medical malpractice suit is filed against a federally supported health center or its employee, courts must therefore determine whether the defendant was “acting within the scope
of” their employment with PHS such that an FTCA claim against the United States itself is the exclusive remedy. Id. (quoting 42 U.S.C. § 233(a)). To assist courts with this determination, federal law directs the U.S. Attorney
General to appear in cases brought against federally supported health centers or their personnel and to certify whether the “entity, officer, governing board member, employee, or contractor of the entity is deemed to be an employee of the Public Health Service” for the purposes of the FSHCAA “with respect to the actions or omissions that
are the subject of such civil action or proceeding.” 42 U.S.C. § 233(l)(1). This appearance must be made within fifteen days of receiving notice of an action against a deemed employee. Id. If the Attorney General answers in the affirmative, the employee
is presumed to be acting within the scope of their employment, Blumberger, 115 F.4th at 1131, and the Attorney General “shall” remove the case to federal court, 42 U.S.C. § 233(c). The federal court may then, upon a motion to remand, hold a hearing as to whether the deemed employee was indeed acting within the scope of their employment
at the time of the malpractice. Blumberger, 115 F.4th at 1119; 42 U.S.C. § 233(c). The statute contemplates that the Attorney General might fail to appear within the prescribed fifteen days. Blumberger, 115 F.4th at 1119. If the Attorney General fails
to appear by that time, the sued health center or employee can themselves petition for removal. 42 U.S.C. § 233(l)(2). At that time, the case “shall be stayed” until the federal court “conducts a hearing, and makes a determination, as to the appropriate forum or
procedure for the assertion of the claim.” Id. B. The Data Breach and Class Action Lawsuits These suits arise not from medical malpractice in a traditional sense, but from a
cybersecurity incident. From May 4 to May 7, 2024, Malama experienced a cyberattack that resulted in the theft of thousands of current and former patients’ personal data, including their names, dates of birth, Social Security numbers, financial account numbers, medical history, and more. ECF No. 1-2, at PageID.26-27.
In response, several class actions were filed. Four of these cases were filed in Hawai‘i state court in the Circuit Court of the Second Circuit in October 2024. See Jones v. Cmty. Clinic of Maui, Inc., No. 2CCV-24-0000934 (Haw. Cir. Ct. Oct. 11, 2024); Jackson v.
Cmty. Clinic of Maui, Inc., No. 2CCV-24-0000937 (Haw. Cir. Ct. Oct. 14, 2024); Parry v. Cmty. Clinic of Maui, Inc., No. 2CCV-24-0000945 (Haw. Cir. Ct. Oct. 17, 2024); Curimao v. Cmty. Clinic of Maui, Inc., No. 2CCV-24-0000955 (Haw. Cir. Ct. Oct. 25, 2024). Plaintiffs bring state law claims under tort and contract theories and for violations of Hawai‘i
statutes, including the Unfair Deceptive Acts or Practices Statute, Uniform Deceptive Trade Practices Act, and Security Breach of Personal Information law. E.g., ECF No. 1. Malama was served with the complaints,2 and it informed the U.S. Attorney’s Office of
the lawsuits shortly thereafter.3 Less than fifteen days after receiving notice, on November 1, 2024 (for Jones and Parry) and January 15, 2025 (for Jackson and Curimao), the Attorney General, through the
U.S. Attorney’s Office, appeared in state court and filed notices advising Malama and Plaintiffs that although Malama was “deemed” an “employee” of PHS at the time of the cyberattack, the complaints do “not arise out of any conduct” for which “§ 233(a) makes
the remedy against the United States exclusive.” E.g., ECF No. 1-3, at PageID.108; see also ECF No. 10-4, at PageID.383 (Jan. 15, 2025, letter from U.S. Attorney’s Office to counsel for Jackson and Curimao informing them that it would not be intervening because the actions are not “for damage for personal injury, including death, resulting
from the performance of medical, surgical, dental, or related functions” under 42 U.S.C. § 233(a)). In other words, the Attorney General took the position that while Malama
2 Service was effectuated on October 15, 2024 (for Jones), October 21, 2024 (for Parry), December 12, 2024 (for Curimao), and January 8, 2025 (for Jackson). Return of Service, Jones, No. 2CCV-24-0000934, ECF No. 13; Return of Service, Parry, No. 2CCV- 24-0000945, ECF No. 10; Return of Service, Curimao, No. 2CCV-24-0000955, ECF No. 9; Return of Service, Jackson, No. 2CCV-24-0000937, ECF No. 28.
3 The U.S. Attorney’s Office received notice of the lawsuits on October 21, 2024 (Jones), October 22, 2025 (Parry), and January 7, 2025 (Jackson and Curimao). Notice, Jones, No. 2CCV-24-0000934, ECF No. 15; Notice, Parry, No. 2CCV-24-0000945, ECF No. 12; Notice, Curimao, No. 2CCV-24-0000955, ECF No. 20; Notice, Jackson, No. 2CCV-24- 0000937, ECF No. 26. was entitled to immunity from medical malpractice liability during the relevant time, it was not entitled to immunity for the cybersecurity incident at issue.
Despite the Attorney General’s stance, on January 24, 2025, Malama removed all four state court actions to federal court. Curimao v. Cmty. Clinic of Maui, Inc., No. 25-cv- 00030; Jackson v. Cmty. Clinic of Maui, Inc., No. 25-cv-00031; Jones v. Cmty. Clinic of Maui,
Inc., No. 25-cv-00032; Parry v. Cmty. Clinic of Maui, Inc., No. 25-cv-00033. As grounds for removal, Malama cited two federal statutes: (1) 42 U.S.C. § 233(l)(2), which provides for the removal of actions brought against federally funded health centers; and (2) 28 U.S.C.
§ 1442, which is the general federal officer removal statute.4 ECF No. 1. The United States maintained its position that federal immunity—and thus removal jurisdiction—did not lie. Although not a party to the cases, on February 24, 2025, the United States filed a motion to remand the four removed cases, ECF No. 10,
which have since been consolidated with four other class actions arising from the same cyberattack that were filed in federal court in the first instance, see ECF No. 17. The court permitted both parties to respond to the remand motion, see ECF No. 18, and
while Malama opposed remand, ECF No. 23, on April 9, 2025, Plaintiffs filed a response
4 Malama does not rely on the Class Action Fairness Act, 28 U.S.C. § 1332(d), which is cited as a basis for federal jurisdiction for the class actions that were filed in federal court in the first instance. See, e.g., Complaint at 6, Aleuta v. Cmty. Clinic of Maui, Inc., No. 24-cv-00431 (D. Haw. Oct. 2, 2024), ECF No. 1. in support of the motion, and joined the motion in full, ECF No. 24. The court held a hearing on the motion on June 4, 2025. ECF No. 27.
DISCUSSION The parties’ briefs present three questions: First, seeking to avoid the merits of remand, Malama contends that Plaintiffs have waived any procedural arguments
against removal and that as a non-party, the United States cannot itself assert those objections in their place. The second and third questions get at the substance of the federal statutes Malama relies on as grounds for removal.
A. Waiver of Remand Under 28 U.S.C. § 1447(c) Malama’s first contention is that this remand motion is procedurally defective. In Malama’s view, because Plaintiffs did not timely move to remand these cases themselves, and instead moved to consolidate the removed actions with those filed in
federal court, they have waived any procedural argument for remand under the statutory remand procedures. And it argues that while the United States’s motion would undisputedly be timely, the United States cannot itself seek remand on those
grounds because it is a non-party. The procedures for remand are laid out in 28 U.S.C. § 1447. Under § 1447(c), a “motion to remand the case on the basis of any defect other than lack of subject matter jurisdiction must be made within 30 days after the filing of the notice of removal under
section 1446(a).” A district court may therefore “only remand a case to state court for procedural defects upon a timely motion to remand.” Friedenberg, 68 F.4th at 1121 (cleaned up). A motion to remand for lack of subject matter jurisdiction, however, may
be brought “at any time before final judgment.” 28 U.S.C. § 1447(c). While in many instances, motions are limited to parties to a case, the FSHCAA specifically contemplates that the United States appear, remove, and file motions to
remand cases involving federally supported health centers that have been “deemed” federal employees for the purposes of malpractice liability. See 42 U.S.C. § 233(c), (l)(1) (directing the Attorney General to remove cases to federal court after certifying that the
defendant was a “deemed” employee “with respect to the actions or omissions that are the subject of such” action); Blumberger, 115 F.4th at 1134 (explaining that after a case is removed, the Attorney General may “seek ‘a hearing on a motion to remand,’ arguing ‘that the case so removed is one in which’” the defendant was not acting within the
scope of their employment (citation omitted) (quoting 42 U.S.C. § 233(c)). Nothing in the statute says that the United States must formally intervene to fulfill its statutory obligations.5 Accordingly, no arguments that the government can raise under § 233 are
5 Malama cites to a motion to intervene that the United States filed in a separate case in the District of Massachusetts. ECF No. 23, at PageID.16. In that case, the United States sought to intervene to substitute itself for a health center as the defendant. Motion to Intervene at 1 n.1, Carlan v. Fenway Cmty. Health Ctr., Inc., Civil No. 23-12361, 2025 WL 1000478 (D. Mass. Mar. 28, 2025), ECF No. 27. That is, the United States used intervention as the procedural method to effectuate its substitution because it had concluded that the employee was immune from suit. See id. These are not the circumstances presented here. waived. Moreover, much of the United States’s motion encompasses not only procedural defects, but whether removal jurisdiction lies, which the court would have
an independent obligation to address with or without a party’s motion. See Valdez v. Allstate Ins. Co., 372 F.3d 1115, 1116 (9th Cir. 2004). Nonetheless, it is true that the United States’s motion rests in part on procedural
grounds not related to § 233: it argues that Malama’s 28 U.S.C. § 1442 removals were themselves untimely because the notices of removal were filed over thirty days after service of the complaint in three of the cases (Curimao, Jones, and Parry). Malama
maintains that these specific procedural arguments must be raised by Plaintiffs themselves, not the government. And Malama argues that Plaintiffs waived any objection to the timeliness of the removals because while the United States’s remand motion was filed exactly thirty days after Malama’s notices of removal, see ECF No. 10,
Plaintiffs did not join that motion until after the thirty-day period for moving to remand under § 1447(c) had passed, see ECF No. 24. Further, Malama points out, Plaintiffs took steps to proceed in federal court; they moved to consolidate the removed class actions
with the existing federal court class actions. See ECF No. 17. Nothing on the face of § 233 or § 1447 appears to permit the government to move for remand on the ground that a defendant’s removal was untimely. And Plaintiffs in these removed cases did not themselves timely move for remand. Nor does there
appear to be any reason why the United States would need to raise non-jurisdictional timeliness defects in a remand motion to fulfill its statutory obligations under the FSHCAA: The FSHCAA calls on the Attorney General to certify whether a defendant
has been deemed an employee of the United States with respect to the actions or omissions that are the subject of the lawsuit. It does not require the Attorney General to calculate whether a remand motion is timely (which is an argument a plaintiff is equally
capable of raising for themselves). But the court need not definitively resolve whether Plaintiffs have waived this limited procedural point, because Malama’s 28 U.S.C. § 1442 removal nonetheless falls
short on the substantive elements, for reasons explained below. B. Removal Under 42 U.S.C. § 233(l)(2) Before turning to 28 U.S.C. § 1442, the court must consider 42 U.S.C. § 233, which is Malama’s first cited basis for removal. That statute is “hardly a model of clarity,” and
so the court proceeds with caution. Blumberger, 115 F.4th at 1126. But after careful consideration of the statutory text and case law, the court concludes § 233(l)(2) does not confer a basis for removal under the circumstances presented here. Nor was the
Attorney General obligated to remove the case under § 233(l)(1). 1. Section 233(l)(2) kicks in only where the Attorney General fails to appear in state court within the § 233(l)(1) fifteen-day period. Under § 233(l)(2), if the Attorney General “fails to appear in State court within the time period prescribed under
paragraph (1), upon petition of any entity or officer, governing board member, employee, or contractor of the entity named, the civil action or proceeding shall be removed to the appropriate United States district court.”
Here, it is undisputed that the United States appeared in state court within the fifteen-day period prescribed by § 233(l)(1). And it expressly declined to remove the cases. E.g., ECF No. 1-3, at PageID.107-09. The U.S. Attorney’s Office, on behalf of the
Attorney General, certified that although Malama was “deemed” an “employee” of PHS for the relevant time period, the complaints do “not arise out of any conduct” by Malama for which “§ 233(a) makes the remedy against the United States exclusive,” id.
at PageID.108—that is, they arose out of the performance of cybersecurity, and not a medical or related function. Malama nonetheless contends that removal was proper; in its view, removal was mandated based on the substance of the Attorney General’s certification because the Attorney General represented that Malama was “deemed” an
employee at the time of the incident, regardless of whether Malama was deemed as such with respect to the particular actions or omissions at issue. a. Malama’s argument rests on the Ninth Circuit case Blumberger v. Tilley, 115
F.4th 1113. In Blumberger, the Ninth Circuit held that the Attorney General should have removed a medical malpractice suit to federal court. Id. at 1140. As with these cases, Blumberger was initially filed in state court against a community health center receiving federal grant funds. Id. at 1119-20. The Attorney General in that case appeared in state
court and notified the court that whether the defendant was “deemed” to be an employee of PHS “with respect to the actions or omissions that are the subject of” the case was “under consideration.” Id. at 1120. It did so even though the defendant had
been “deemed” an employee of PHS for the relevant time period. Id. Nearly a year later, the government amended its notice to say that the defendant was not deemed an employee of PHS with respect to those specific actions or omissions. Id. And, like here,
the defendant itself then removed the case to federal court under § 233(l)(2)—even though the Attorney General had made an appearance under § 233(l)(1) and had answered in the negative. Id.
The Ninth Circuit did not ultimately resolve whether the defendant’s own § 233(l)(2) removal was proper under the circumstances. Id. at 1140. Instead, it carefully parsed the statutory language to determine the Attorney General’s obligations under § 233(l)(1). As the circuit explained, the Attorney General was obligated to
advise the state court that the Secretary had “deemed” the defendant to be a PHS employee for the relevant time period with respect to medical malpractice. Id. at 1127. Based on that fact alone, the court concluded that the Attorney General should have
removed the case under § 233(l)(1)—irrespective of whether the Attorney General ultimately concluded that the malpractice was committed within the scope of the defendant’s employment with PHS. Id. at 1139. In reaching this decision, the court interpreted § 233(l)(1)’s phrase, “‘deemed
. . . with respect to the actions or omissions’ giving rise to the lawsuit.” Id. at 1130 (emphasis added) (quoting 42 U.S.C. § 233(l)(1)). The court determined that this provision “requir[es] a simple up-down certification to the state court that the
defendant has been deemed a PHS employee for the time period in question with respect to the category of services identified in the complaint.” Id. at 1133 (emphasis added). The categories of service for which a medical center may be deemed are “the
performance of medical, surgical, dental, or related functions.” Id. at 1129 (quoting 42 U.S.C. § 233(a)). Put another way, the Attorney General must certify in the affirmative and remove the case to federal court if two requirements are met: (1) the defendant was
“deemed” an employee for the time period at issue, and (2) the claims brought fall within the category of services for which the defendant was deemed an employee. Id. at 1130. Section 233(l)(1) does not, however, call on the Attorney General to resolve whether the defendant was acting within the scope of employment prior to removal. Id.
at 1127. In interpreting the statute, the Ninth Circuit took great care to distinguish between the Secretary’s ex-ante deeming decision and the Attorney General’s ex-post
coverage decision. See id. at 1127-29 (describing the Secretary and Attorney General’s respective areas of expertise). As the initial step, the Secretary must have “deemed” a health center and its employees to be employees of PHS for the relevant time. Id. at 1129. Then, when a lawsuit is filed, the Attorney General’s role proceeds in two steps.
First, the Attorney General must certify to the court that “the defendant has been deemed a PHS employee for the time period in question with respect to the category of services identified in the complaint.” Id. at 1133. Again, that is a simple, categorical
certification that requires the Attorney General to refer only to (1) the deeming notice and (2) the complaint. Id. And after doing so, the Attorney General must remove the case to federal court. Id. at 1134. At that point, the Attorney General’s second duty
comes into play. The Attorney General must then make the potentially more complex determination of whether the defendant acted within the scope of their employment. Id. at 1133 (explaining that the initial fifteen-day period would be a “very compressed
timeframe in which to make” a scope-of-employment decision, which may require a “full-blown investigation”). If the Attorney General concludes that the deemed employee is not ultimately a covered employee, the Attorney General may then seek a hearing on a motion to remand in federal court addressing that issue. Id. at 1134 (citing
42 U.S.C. § 233(c)). Because the Attorney General should have removed the Blumberger lawsuit to federal court under § 233(l)(1), the Ninth Circuit ultimately vacated the district court’s
ruling and remanded to the district court for further proceedings consistent with § 233: the panel directed the district court to hold a hearing on the issue of coverage. Id. at 1139-40. The circuit therefore declined to decide whether the defendant’s § 233(l)(2) removal was proper. Id. at 1140. It also remanded because the district court had applied the wrong legal standard to the defendant’s separate ground for removal under the general federal officer statute, 28 U.S.C. § 1442. Id.
b. Malama frames Blumberger as a straightforward support for its position. In Malama’s view, Blumberger stands for the proposition that if Malama is a “deemed” employee and fifteen days pass without the Attorney General removing the case under
§ 233(l)(1), Malama has the right to remove the case itself under § 233(l)(2). Malama’s argument suffers from two flaws. First, and most simply, Blumberger did not reach the question of whether a defendant’s own removal is proper where the Attorney General
does appear in state court, but certifies in the negative. Id. at 1140. The Ninth Circuit decided only that the Attorney General should have removed the action in the circumstances of that case. Id. And so even if this court agrees with Malama that the Attorney General should have removed the cases here, the court would still be left with
the open question of whether Malama’s own removal was proper. Second, under Blumberger, the Attorney General’s § 233(l)(1) certification includes two parts. It encompasses not only the question of whether a defendant was a
“deemed” employee of PHS at the relevant time. Instead, the Attorney General must further certify that the defendant was deemed as such “with respect to the actions or omissions that are the subject of such civil action,” 42 U.S.C. § 233(l)(1)—that is, “with respect to the category of services identified in the complaint,” Blumberger, 115 F.4th at
1133 (emphasis added). That provision was unquestionably satisfied in Blumberger because the complaint in that case brought medical malpractice claims. Id. at 1116. But Blumberger expressly confirmed that the “Attorney General may reply in the negative if
the acts or omissions identified in the complaint fall outside the category of services for which the defendant is deemed.” Id. at 1130 (emphasis added). That is precisely what the government says happened here. And so nothing in Blumberger conflicts with the
approach the government has taken in this case. Resisting that conclusion, Malama seeks to distinguish this case from the Ninth Circuit’s example of a permissible negative reply by the Attorney General. ECF No. 23,
at PageID.437. Blumberger explained that the “‘with respect to the actions or omissions’ language will most often apply in cases involving part-time contractors, because their § 233 immunity is limited to specific categories of services.” 115 F.4th at 1131. Under § 233, part-time contractors are only “deemed” with respect to “services in the fields of
family practice, general internal medicine, general pediatrics, or obstetrics and gynecology.” 42 U.S.C. § 233(g)(5)(B). Full-time and part-time employees, in contrast, are more broadly “deemed” with respect to “medical, surgical, dental, or related
functions.” Id. § 233(a). In light of this distinction, the Ninth Circuit provided the example of a permissible negative certification for a “part-time contractor sued for negligent dental care.” Blumberger, 115 F.4th at 1130. And that category of services, Malama correctly points out, is explicitly excluded by the statute. But whether cybersecurity is encompassed by § 233(a)’s list of services is the very question the Attorney General was called to answer in these cases. The fact that the
statute does not expressly name and exclude cybersecurity from its reach cannot mean that the Attorney General is prohibited from concluding that such services are not included in the list. More importantly, contrary to Malama’s assertions, this
interpretation does not violate Blumberger by effectively turning the Attorney General’s category-of-services determination into a de facto scope-of-employment determination. See ECF No. 23, at PageID.437. That is because the scope-of-employment test does not
involve the category of services provided, but rather application of “the principles of respondeat superior of the state in which the alleged tort occurred.” Saleh v. Bush, 848 F.3d 880, 888 (9th Cir. 2017) (cleaned up). In general, that inquiry involves asking “whether the employee’s conduct was related to the employment enterprise or if the
enterprise derived any benefit from the activity.” Wong-Leong v. Hawaiian Indep. Refinery, Inc., 76 Hawai‘i 433, 441, 879 P.2d 538, 546 (1994); see also Restatement (Second) of Agency § 228 (A.L.I. 1958) (stating that conduct is within the scope of employment if
“(a) it is of the kind [they are] employed to perform; (b) it occurs substantially within the authorized time and space limits; (c) it is actuated, at least in part, by a purpose to serve the master[;] and (d) if force is intentionally used by the servant against another, the use of force is not unexpectable by the master”). And conduct could fall within the scope of employment at a health center, but still not fall within the categories of services enumerated by § 233(a)—or vice versa.
Moreover, although Malama maintains that the issue of whether it is a deemed employee with respect to cybersecurity should be addressed at the coverage stage with an evidentiary hearing, not at the removal and remand stage, see ECF No. 23, at
PageID.438-40, the nature of that decision cuts against Malama’s argument. It is not a question that might require a “full-blown investigation” into the facts; it is, instead, a categorical “up-down” determination that requires looking only at the allegations in the
complaint. Blumberger, 115 F.4th at 1133. That is exactly the certification required before, not after, removal under Blumberger. Id. For these reasons, the determination of whether cybersecurity is a category of services for which a medical center may be deemed under § 233(a) does not encroach on the scope-of-employment determination.
To be sure, Blumberger emphasizes the strong presumption in favor of the availability of judicial review. Id. at 1135-39. The Ninth Circuit noted that “[i]f subsection (l)(1) allows the Attorney General to advise in the negative because it
decides that the employee was not acting within the scope of his employment, the employee [would have] no meaningful forum in which to challenge the government’s failure to certify scope of employment.” Id. at 1135. And Malama contends that adopting the government’s view under these circumstances would effectuate that same
undesirable result: it would foreclose review of the Attorney General’s pre-removal certification. See ECF No. 23, at PageID.438. It is true, as this case shows, that whether a complaint arises from a category of services for which a defendant is deemed may not
always be a clear-cut call, see Lockhart v. El Centro del Barrio, --- F. Supp. 3d ---, 2025 WL 1161464, at *6 (W.D. Tex. Apr. 21, 2025); it is one that might indeed warrant judicial review. But Blumberger does not leave health centers without a remedy for potentially
erroneous negative replies by the government. Instead, Blumberger forges another route to judicial review: In declining to decide whether the defendant’s § 233(l)(2) removal was proper, the Ninth Circuit instead resolved the very question of whether the
Attorney General’s decision not to remove under § 233(l)(1) was proper. And because the court concluded that it was not, the Ninth Circuit vacated the federal district court’s order remanding the suit to state court and remanded the case to the district court for further proceedings. 115 F.4th at 1140. Put differently, Blumberger authorizes courts to
review the propriety of the Attorney General’s decision not to remove a case under § 233(l)(1) based on the category of services identified in the complaint. And at the hearing on the remand motion, Malama acknowledged that the availability of such
review would assuage its concerns about conflating the Attorney General’s deeming certification with its coverage determination. Concerns about the need for judicial review, therefore, offer no reason to depart from Blumberger’s clear directive regarding the scope of the Attorney General’s pre-removal certification: under § 233(l)(1), the
Attorney General must certify both (1) whether a defendant was “deemed” a PHS employee for the relevant time, and (2) whether they were deemed as such “with respect to the category of services identified in the complaint.” Id. at 1333; accord
Johnson v. Petaluma Health Ctr., Inc., --- F. Supp. 3d ---, 2025 WL 1539853, at *1 (N.D. Cal. May 30, 2025) (rejecting defendant health center’s argument that whether a defendant is a “deemed” employee—and not whether it is deemed “with respect to” the category of
services identified—is the sole pre-removal advice given by the Attorney General). 2. Up to this point, the court has concluded that Blumberger does not answer whether a defendant can remove a case to federal court under § 233(l)(2) when the
Attorney General does appear in state court but makes an unfavorable certification. The court has also concluded that the Attorney General’s notice here did not conflate pre- removal deeming certification with its post-removal coverage determination. At the same time, the court has concluded that Blumberger authorizes judicial review of that
unfavorable certification. The remaining question is whether the Attorney General correctly determined that cybersecurity is not a category of services for which Malama was deemed under
§ 233(a). And while Malama’s briefing argued only that it has the right to remove under § 233(l)(2)—and it did not ask the court to consider granting relief based directly on the Attorney General’s failure to remove under § 233(l)(1)—at oral argument, both parties agreed that the court could, and should, resolve the merits of that latter issue. To fall within § 233(a), the category of services identified in the complaint must involve “the performance of medical, surgical, dental, or related functions.” Blumberger,
115 F.4th at 1129 (quoting 42 U.S.C. § 233(a)). Cybersecurity to protect patients’ data is undisputedly not the performance of a medical, surgical, or dental function; Malama’s only argument is that it is a “related function.” See ECF No. 23, at PageID.438-40
(arguing that the court should resolve whether the claims involve the performance of “related functions” upon a hearing at the coverage stage). In interpreting statutes, the court’s “task is to construe Congress’s intent, and
doing so requires [the court] to ‘begin, as always, with the language of the statute.’” Chubb Customs Ins. Co. v. Space Sys./Loral, Inc., 710 F.3d 946, 958 (9th Cir. 2013) (quoting Duncan v. Walker, 533 U.S. 167, 172 (2001)). It is a “fundamental precept of statutory construction that, unless otherwise defined, ‘words will be interpreted as taking their
ordinary, contemporary, common meaning.’” Id. (quoting Perrin v. United States, 444 U.S. 37, 42 (1979)). In addition, “because words necessarily derive meaning from their context, ‘interpretation of a word or phrase depends upon reading the whole statutory
text, considering the purpose and context of the statute.’” Id. (brackets omitted) (quoting Dolan v. U.S. Postal Serv., 546 U.S. 481, 486 (2006)). Where the statute’s text is unambiguous, the court’s inquiry ends with that text and does not encompass legislative history or any other extrinsic material. Republic of Ecuador v. Mackay, 742 F.3d
860, 864-65 (9th Cir. 2014). Courts have interpreted § 233(a) with differing results. On the government’s side is the Fourth Circuit’s decision in Ford v. Sandhills Medical Foundation, Inc., 97 F.4th
252 (4th Cir. 2024). In Ford, the Fourth Circuit concluded § 233(a) did not encompass tort claims arising from a cyberattack that resulted in the theft of the plaintiff’s personal information after she had ended treatment at the health center. Id. at 262. The court
looked to the plain language of § 233(a), and because “medical, surgical, and dental” are all “adjectives that describe various fields of health care,” the court read “related” as referring to other health care fields. Id. at 259-60. And it defined “function” is an
“action for which one is particularly fitted or employed.” Id. at 258-59 (quoting Webster’s Seventh New Collegiate Dictionary 338 (1969)). The court explained that data security, from which the cyberattack claims arose, is not an activity any health care field is particularly fitted to execute. Id. at 260-61. Moreover, while the court acknowledged
that health centers have a statutory duty to maintain the confidentiality of patient records, id. at 261 (citing 42 U.S.C. § 254b(k)(3)(C)), it explained that the focus of § 233(a) is on function, not duty, id. at 262. The panel therefore vacated the district court’s order
applying § 233(a) immunity to the health center. Id. Malama, for its support, cites a handful of unpublished pre-Ford district court opinions that it says cut the other way. The only in-circuit case is Doe v. Neighborhood Healthcare, No. 21-cv-01587, 2022 WL 17663520 (S.D. Cal. Sept. 8, 2022). In that
unpublished opinion, the District Court for the Southern District of California agreed with the defendant health care provider that § 233(a) applied to the plaintiff’s claims arising from a data breach based on its conclusion that “providing proper storage and
security of Plaintiff’s confidential health information is a function related to the medical care Plaintiff received.” Id. at *6. Doe, however, relied in significant part on the very district court case that the Fourth Circuit vacated in Ford. Doe, 2022 WL 17663520, at *6
(citing Ford v. Sandhills Med. Found., Inc., No. 21-cv-02307, 2022 WL 1810614 (S.D. Cal. 2022), vacated, 97 F.4th 252 (9th Cir. 2024)); see also Lockhart, 2025 WL 1161464, at *6. For that reason, its persuasive value is somewhat lessened.
The most exhaustive of the cases Malama cites is Krandle v. Refuah Health Center, in which the District Court for the Southern District of New York held—in an unpublished opinion authored just weeks before Ford—that the health center was deemed an employee under § 233(a) with respect to claims arising from a data breach.
Nos. 22-CV-4977 & 22-CV-5039, 2024 WL 1075359, at *10-11 (S.D. N.Y. Mar. 12, 2024). In reaching this decision, the court noted that the terms “medical, surgical, and dental” do not exclusively encompass treatment itself, but are instead “adjectives that pertain or
relate to treatment.” Id. at *4 (cleaned up). And it described “related” as a broad term meaning only that a function “must have a real relationship to the practice of medicine,” id. at *5—that is, the function must be within the center’s capacity as a health services provider and it must be necessary to effective health care, id. at *8. Based on
these understandings, the court concluded that data security does have a real relationship to medicine because a health center necessarily “takes on certain confidentiality, privacy, and security duties unique to such businesses.” Id. at *10.
Also noteworthy is Mele v. Hill Health Center, a District of Connecticut case that involved the improper disclosure of medical information to a hospital “during the course of” the plaintiff’s drug treatment program. No. 06cv455, 2008 WL 160226, at *3
(D. Conn. Jan. 8, 2008). That court, too, held that the claims alleged in the complaint fell within § 233(a)’s reach. Ford nodded to—but disagreed with and distinguished—the district courts’
decisions in Krandle and Mele, respectively. It rejected, for one, Krandle’s approach as “fail[ing] to focus on whether the alleged damages arose as a result of the provision of health care to the injured party.” Ford, 97 F.4th at 262. And it distinguished Mele, for another, as involving an injury that arose from the improper disclosure of patient
information “to another provider at the direction of a medical professional in relation to the patient’s treatment”; the Fourth Circuit explained that the unexpected cyberattack, by contrast, did not “arise from any action” taken by the employee “as a doctor
responsible for, or in the course of rendering medical treatment for” the plaintiff, particularly where the plaintiff had not been a patient “for at least a year.” Ford, 97 F.4th at 260-61 (cleaned up). In taking a side on this issue, this court does not write from a blank slate.
Although the Ninth Circuit has not addressed the precise question of whether § 233(a) encompasses claims arising from a cyberattack, it has given some general guidance about § 233(a)’s reach. And the court is obligated to follow the Ninth Circuit case that
touches on § 233(a), so far as it goes. That case is Friedenberg v. Lane County, 68 F.4th 1113. In Friedenberg, the Ninth Circuit interpreted § 233(a) while addressing—and rejecting—an argument that § 233
conferred lesser immunity protections for “deemed” health centers than for true PHS employees. Id. at 1126-28. The plaintiffs in that case had brought negligence and wrongful death claims against a health center and its employees for failing to fulfill
their duty to notify a court about a patient’s refusal to comply with the mental health treatment plan aspect of his probation. Id. at 1118-19. Relevant here, the court expressly rejected the plaintiffs’ contention that § 233 extends immunity only for medical malpractice claims. Id. at 1127-28 (“[T]he scope of § 233 immunity does not depend on
whether the claim is framed as one of medical malpractice, but rather whether the claim is the result of the defendant’s ‘performance of medical, surgical, dental, or related functions’ in providing services to both patients and nonpatients alike.” (quoting 42
U.S.C. § 233(a))). The court held that the conduct at issue in that case was “intertwined with” the defendants’ “provision of medical services,” or “at the very least, [was] ‘related’ to” those services, and so it fell within the ambit of § 233(a). Id. at 1130. Read alone, the Ninth Circuit’s guidance on § 233(a) in Friedenberg is fairly broad.
Because the Ninth Circuit has already expressly held that the statute encompasses more than just medical malpractice actions, to the extent that the government and Plaintiffs suggest to the contrary, see ECF No. 10-1, at PageID.363, that argument holds no weight.
Furthermore, Friedenberg cited with approval Mele, which held that the improper disclosure of patient information to another provider for the purposes of treatment fell within § 233(a). Friedenberg, 68 F.4th at 1128-30. But that does not necessarily translate
to a circuit split—Ford, as noted, did not reject Mele, but merely distinguished it. See Ford, 97 F.4th at 260. Courts generally “decline to create a circuit split unless there is a compelling reason to do so.” Padilla-Rameriz v. Bible, 882 F.3d 826, 836 (9th Cir. 2017).
The court must therefore determine whether Friedenberg compels this court to read into Ninth Circuit law a circuit split from the Fourth Circuit’s recent Ford decision. The court concludes that it does not. As an initial matter, Friedenberg and Ford are largely reconcilable. The binding test under Friedenberg is whether the pertinent
activities are “intertwined with” the defendants’ “provision of medical services.” 68 F.4th at 1130. And some courts that have applied that very standard have held that cybersecurity does not meet it. In Hale v. ARcare, Inc., No. 22-CV-00117, 2024 WL
1016361 (E.D. Ark. Mar. 8, 2024), and Marshall v. Lamoille Health Partners, No. 22-cv-166, 2023 WL 2931823 (D. Vt. Apr. 13, 2023), for example, each district court reviewed cases from other courts that have applied § 233(a) immunity to claims arising from activities that are “interwoven” with medical services. Hale, 2024 WL 1016361, at *2-3; Marshall,
2023 WL 2931823, at *4 (citing Goss v. United States, 353 F. Supp. 3d 878, 886 (D. Ariz. 2018) (cataloguing cases)). But in most of those cases, the courts explained, the “‘related function’ was directly ‘interwoven’ with the caregiver’s provision of medical care.”
Marshall, 2023 WL 2931823, at *4; accord Hale, 2024 WL 1016361, at *3 (explaining that cases applying § 233(a) to claims for failure to protect private information largely “involve conduct that occurred during the course of medical treatment within the
context of the provider-patient relationship”). The same is not true of the technology activities from which data breach claims arise—those activities “instead consist[] of security-related work by information technology and compliance personnel in a health
care setting.” Marshall, 2023 WL 2931823, at *5; see also Hale, 2024 WL 1016361, at *3. Friedenberg, for example, involved a physician’s duty to notify a court of violations of a treatment plan. 68 F.4th at 1128. And Mele, which the Ninth Circuit cited with approval in Friedenberg, similarly involved the disclosure of a patient’s medical
information to another provider for the purposes of treatment. Mele, 2008 WL 160226, at *3. Unlike cybersecurity measures, the activities in those cases are clearly intertwined with the provision of medical treatment itself. See also Teresa T. v. Ragaglia, 154 F. Supp.
2d 290, 300 (D. Conn. 2001) (concluding that a doctor’s duty to report suspected child abuse was a “related function” because it was “woven into” the doctor’s performance of medical services); Z.B. ex rel. Next Friend v. Ammonoosuc v. Cmty. Health Servs., Inc., Nos. Civ. 03-540 & 04-34-P-S, 2004 WL 1571988, at *3 (D. Me. June 13, 2004) (similar), report
and recommendation adopted sub nom., Z.B. ex rel. Kilmer v. Ammonoosuc Cmty. Health Servs., Inc., 2004 WL 1925538 (D. Me. Aug. 31, 2004); Kezer v. Penobscot Cmty. Health Ctr., No. 15-cv-00225, 2019 BL 141566, at *2, *6 (D. Me. Mar. 21, 2019) (applying § 233(a)
immunity to claim for health center employees’ unauthorized access to confidential counseling records). This understanding of medical and related functions makes good sense based on
the text and context of § 233(a). Section 233(a) specifies that the United States shall be substituted as a defendant solely for “personal injury” claims, “including death.” 42 U.S.C. § 233(a); see also Ford, 97 F.4th at 260. The court’s understanding of what is a
medical or related function must be at least cabined by that statutory directive. Granted, § 233(a) does not only encompass traditional medical malpractice personal injury claims; it can, for example, include personal injury claims for constitutional violations that occur during treatment. See Friedenberg, 68 F.4th at 1128-29. And while
Plaintiffs argue that their claims are not for personal injury here, but for property damages and related economic losses, ECF No. 24, at PageID.463-64, their complaints belie that contention—they allege at least some personal injuries. See ECF No. 1-2, at
PageID.52 (“Plaintiff and the Class have suffered and will continue to suffer other forms of injury and/or harm, including, but not limited to, anxiety, emotional distress, loss of privacy, and other economic and non-economic losses including nominal damages.”). But unlike in Friedenberg and Mele, these injuries do not arise from the performance of
services intertwined with the provision of medical or related services. To be sure, the injuries are “related” to the provision of medical treatment in a broad sense—the data is collected in order for medical treatment to be rendered. And
as Malama points out, it has a statutory duty to “maintain[] the confidentiality of patient records.” 42 U.S.C. § 254b(k)(3)(C). The Ninth Circuit has noted that a duty that is “imposed on doctors acting within their professional capacity” is typically “related”
to medical services for the purposes of § 233(a). Friedenberg, 68 F.4th at 1129-30. But not everything that is “related” to the provision of medical treatment in a broad sense is “related” in the manner that § 233(a) requires—a medical center might have a duty to
keep its building up to code or to maintain certain standards of cleanliness, for example, but that does not mean that the performance of construction or janitorial services arises out of the performance of medical or related functions. And there is a difference between medical professionals’ maintenance of confidentiality in their practice and data
security professionals’ maintenance of confidentiality through technological safeguards. The duty to maintain the security of stored data is not “intertwined” with medical treatment in the way that services provided by a medical professional are.
As Plaintiffs point out, § 233’s requirements for medical professionals do not extend to data security professionals. See, e.g., 42 U.S.C. § 233(h)(2) (requiring agencies to review health care professionals’ credentials and histories, but not that of data security professionals); id. § 233(i) (permitting the government to exclude individual
health care professionals from deemed status, but not data security professionals). And the FSHCAA counsels medical centers to obtain separate insurance for conduct that does not fall within the performance of “medical, surgical, dental, or related functions,”
including non-medical/dental professional liability coverage and general liability coverage. U.S. Dep’t of Health & Hum. Servs., Federal Tort Claims Act Health Center Policy Manual § I(H.4) (July 21, 2014 ed.).
For these reasons, the court concludes that the claims for the data breach alleged in the complaints do not arise out of the performance of medical, surgical, dental, or related functions that fall within the ambit of § 233(a). Accordingly, even if Malama
could itself have removed these cases under § 233(l)(2) if the government had improperly declined to remove the cases—which is by no means clear—the government’s decision not to do so was properly grounded in § 233(a). Section 233 therefore cannot provide a valid basis for Malama’s removal of these cases.
C. Removal Under 28 U.S.C. § 1442 Malama relies on one other statute as grounds for removal: the general federal officer removal statute found in 28 U.S.C. § 1442(a)(1). Section 1442(a)(1) permits
removal of actions initially brought in state court against “any officer (or any person acting under that officer) of the United States or of any agency thereof . . . for or relating to any act under color of such office.” Id. The United States argues that § 1442(a)(1) does not provide a basis for removal here for three reasons: (1) Malama’s § 1442 removal was untimely, (2) § 233 supplants § 1442 for federally funded health centers, and (3) the elements of § 1442(a)(1) removal are not met.
The court need not resolve the first two of these arguments because even if § 1442 is available, the substantive elements for removal under that provision are not met.
To satisfy the general federal officer removal statute, “a removing entity must establish that: (a) it is a person within the meaning of the statute; (b) there is a causal nexus between its actions, taken pursuant to a federal officer’s directions, and the
plaintiff’s claims; and (c) it can assert a colorable federal defense.” Doe v. Cedars-Sinai Health Sys., 106 F.4th 907, 913 (9th Cir. 2024) (cleaned up). While federal officer removal must be “liberally construed,” it is “not limitless.” Id. (cleaned up). Federal courts must avoid “bringing within its scope state-court actions filed against private firms in many
highly regulated industries.” Id. (cleaned up). Here, two elements of § 1442 are deficient: First, and most simply, Malama cannot assert a “colorable federal defense.” Id. Section 233 immunity is the only federal
defense that Malama raises, and that defense is not colorable for the reasons explained above—namely, because § 233(a) immunity does not extend to the data breach claims asserted in the complaint. That alone is reason enough to reject the § 1442 removal. See Lockhart, 2025 WL 1161464, at *9 (rejecting § 1442 as a ground for removal where § 233
immunity did not apply because defendant raised no colorable federal defense). Second, Malama’s cybersecurity activities were not “taken pursuant to a federal officer’s directions.” Cedars-Sinai, 106 F.4th at 913. To satisfy § 1442’s “causal nexus”
requirement, a defendant must “demonstrate that it was ‘acting under’ a federal officer in performing some act under color of federal office, i.e., that it was involved in an effort to assist, or to help carry out, the duties or tasks of the federal superior.” Id. (cleaned
up). Factors the court considers in making this determination include (1) whether the person is acting on behalf of the government in a manner akin to an agency relationship, (2) whether the person is subject to the government’s close direction,
(3) whether the private person is assisting the government in fulfilling “basic governmental tasks” that the government “itself would have had to perform” if it had not contracted with the private person, and (4) whether the private person’s activity is so closely related to the government’s implementation of its federal duties that the
private person faces a “significant risk of state-court prejudice,” as the government itself would face. Id. at 914 (cleaned up). Cybersecurity to protect medical patients’ data does not satisfy this test. In
arguing for the opposite conclusion, Malama relies on Agyin v. Razmzan, 986 F.3d 168, 175-80 (2nd Cir. 2021). But Agyin involved the direct provision of medical services to low-income patients. Id. That is distinct from the performance of cybersecurity and other technological functions. Doe v. Cedars-Sinai Health Systems illustrates this point: in
that case, the Ninth Circuit concluded that a federally supported health center’s building of a patient portal and website with tracking technology was not a basic governmental task. 106 F.4th at 916. The court acknowledged that building the portal
and website might well “advance the government’s policy by operating a patient portal that meets certain objectives and measures.” Id. at 917 (cleaned up). But that is not enough to make the conduct a basic governmental task; the applicable governmental
regulations vested “considerable discretion” in the health center and did not require the health center “to build a specific type of website or patient portal,” nor did they create the “requisite federal control or supervision.” Id. Similarly, here, while Malama’s
cybersecurity measures might well advance the objectives of the FSHCAA, Malama has not pointed to any federal law that requires it to implement any particular form of cybersecurity measures or otherwise controls the method by which Malama must satisfy the FSHCAA’s objectives.
To be sure, as a federally supported health center, Malama has a statutory duty to maintain the confidentiality of patient data. 42 U.S.C. § 254b(k)(3)(C). But “[m]erely complying with federal laws, policies or regulations,” without more, “does not
constitute ‘acting under’ a federal official for the purposes of federal officer removal.” Nevada v. Optum, Inc., No. 24-cv-00493, 2025 WL 947041, at *6 (D. Nev. Mar. 30, 2025) (citing Watson v. Philip Morris Cos., 551 U.S. 142, 145 (2007)); see also Cedars-Sinai, 106 F.4th at 913-14. And because these elements of § 1442 are not met, § 1442 does not
provide a valid basis for Malama’s removal of the complaints. PagelD.439
CONCLUSION Malama has offered only two grounds for removal, and for the reasons explained above, neither is sufficient here. The removed cases therefore cannot remain in federal
court. Non-party the United States’s motion to remand, ECF No. 10, is GRANTED, and the four removed consolidated cases (Curimao v. Cmty. Clinic of Maui, Inc., No. 25-cv- 00030; Jackson v. Cmty. Clinic of Maui, Inc., No. 25-cv-00031; Jones v. Cmty. Clinic of Maui, Inc., No. 25-cv-00032; and Parry v. Cmty. Clinic of Maui, Inc., No. 25-cv-00033) are REMANDED to the Circuit Court of the Second Circuit, State of Hawai‘i. The Clerk is DIRECTED to effectuate the remand and to CLOSE these cases. The remaining cases consolidated in In re Community Clinic of Maui Data Breach Litigation, No. 24-cv-431 (Aleuta v. Cmty. Clinic of Maui, Inc., No. 24-cv-431; Kaiwi v. Cmty. Clinic of Maui, Inc., No. 24-cv-00440; Johnson v. Cmty. Clinic of Maui, Inc., No. 24-cv-00443; and Oberg v. Cmty. Clinic of Maui, Inc., No. 24-cv-00483) are unaffected by this order. IT IS SO ORDERED. DATED: July 7, 2025, at Honolulu, Hawai‘i. gr te, f 6 % /s/ Micah W.J. Smith do’ Micah W.J. Smith United States District Judge Vere
Civil No. 24-00431 MWJS-WRP; In re Community Clinic of Maui Data Breach Litigation; ORDER GRANTING NON-PARTY THE UNITED STATES’S MOTION TO REMAND 35
Related
Cite This Page — Counsel Stack
Aleuta v. Community Clinic of Maui, Inc., Counsel Stack Legal Research, https://law.counselstack.com/opinion/aleuta-v-community-clinic-of-maui-inc-hid-2025.