The U.S. Court of Appeals for the Fifth Circuit affirmed a lower court's decision to remand a data breach class action lawsuit against El Centro Del Barrio, doing business as CentroMed, back to state court. The decision, filed Feb. 6, 2026, rejected the healthcare provider's attempts to secure federal forum protection under two federal statutes.

The case stems from a 2024 cybersecurity incident in which criminals infiltrated CentroMed's computer network and accessed patients' personal information. Arturo Gonzalez filed a class action lawsuit on behalf of affected patients, initially in state court.

CentroMed, a Texas nonprofit organization that operates as a community health center, attempted to move the case to federal court under 42 U.S.C. § 233 and 28 U.S.C. § 1442. However, the U.S. District Court for the Western District of Texas remanded the case back to state court, finding that federal removal was improper.

The Fifth Circuit panel, consisting of Circuit Judges Haynes, Duncan, and Ramirez, unanimously upheld the district court's remand order. Circuit Judge Haynes wrote the opinion for the court, stating that "removal was improper under both statutes."

The appeal focused solely on the jurisdictional question of whether CentroMed could seek federal forum protection, rather than the underlying merits of the data breach claims. This procedural battle highlights the strategic importance of forum selection in complex litigation, particularly in cases involving healthcare data breaches.

Section 233 of Title 42 provides federal tort liability protection for certain healthcare entities that receive federal funding, while Section 1442 of Title 28 allows federal officers and agencies to remove cases to federal court when they are sued for actions taken under federal authority. The court's decision suggests that CentroMed's status as a community health center did not qualify it for removal under either provision.

The ruling represents a victory for the plaintiff class, as state courts are often perceived as more favorable venues for consumer protection lawsuits. Federal courts typically have more restrictive procedural requirements and may be less sympathetic to class action claims.

Community health centers like CentroMed often receive federal funding through programs administered by the Health Resources and Services Administration. These federally qualified health centers serve underserved populations and are subject to various federal regulations. However, the Fifth Circuit's decision indicates that this federal connection alone is insufficient to establish federal jurisdiction in private lawsuits arising from data breaches.

The case reflects broader trends in healthcare cybersecurity litigation. Healthcare organizations have become frequent targets of cyberattacks due to the valuable nature of medical records and personal health information. When breaches occur, patients often file class action lawsuits alleging negligence in data security practices.

Defendants in such cases frequently attempt to remove litigation to federal court, believing it offers procedural advantages and potentially more favorable substantive law. However, courts have been increasingly restrictive about allowing removal in cases that lack a clear federal nexus.

The Fifth Circuit's decision joins a growing body of case law limiting healthcare providers' ability to escape state court jurisdiction in data breach litigation. This trend may encourage more aggressive state court litigation against healthcare organizations that experience cybersecurity incidents.

For healthcare providers, the ruling underscores the importance of robust cybersecurity measures and comprehensive data breach response planning. Organizations cannot rely on federal forum protection as a litigation strategy and must be prepared to defend data breach claims in potentially less favorable state court venues.

The case also highlights the complex interplay between federal healthcare funding, regulatory oversight, and civil liability. While community health centers operate under extensive federal oversight and receive federal funding, this federal involvement does not automatically create federal jurisdiction for all related litigation.

The district court case number is 5:24-CV-852, and the Fifth Circuit appeal was designated as case number 25-50092. The decision was filed on Feb. 6, 2026, with Lyle W. Cayce serving as the court clerk.

With the jurisdictional question now resolved, the case returns to state court where the parties will litigate the substantive claims related to the 2024 data breach. Gonzalez and the proposed class will have the opportunity to pursue their claims against CentroMed in what they likely view as a more favorable forum.

The ruling may influence similar cases involving federally funded healthcare organizations facing data breach litigation, establishing precedent that federal funding alone does not create grounds for removal to federal court.