By Jeffrey T. Donner, Esq.

If you handle litigation in Florida state court—especially anything involving public entities—you need to pay attention to Beck v. North Broward Hospital District. Not because it’s flashy. Not because it breaks new doctrinal ground. But because it quietly slams the door on a category of claims plaintiffs’ lawyers are increasingly filing: data-breach class actions against governmental bodies.

The Fourth District’s message is simple and unmistakable:

If you are suing a Florida governmental entity for a data breach and your damages are purely economic, sovereign immunity is going to swallow your case.

Let’s unpack why that matters.

The Setup

Former patients sued Broward Health—a public hospital district—after an October 2021 data breach. They alleged negligence and breach of contract. The alleged harms were what we now routinely see in privacy litigation:

• Loss of control over private information
• Diminished “market value” of personal data
• Identity theft
• Time and money spent on credit monitoring
• Future mitigation costs

The trial court dismissed the case with prejudice on sovereign immunity grounds. The Fourth District affirmed.

That “with prejudice” part is important. This wasn’t a pleading tweak situation. The court held that, as a matter of law, these claims fall outside the statutory waiver.

Why the Negligence Claim Fails

Florida’s sovereign immunity statute, section 768.28(1), waives immunity only for tort claims seeking money damages for:

• injury or loss of property
• personal injury
• death

The plaintiffs argued that their data had value, that it was compromised, and that this constituted “loss of property.”

The Fourth District was not persuaded.

The court treated these damages as economic losses—loss of informational value, mitigation expenses, privacy harm—not injury to tangible property. And Florida courts strictly construe waivers of sovereign immunity. If the statute does not clearly authorize the claim, the claim does not survive.

The court relied heavily on City of Pembroke Pines v. Corrections Corp. of America, Inc., which held that purely economic tort damages fall outside the limited waiver. The theme is consistent: sovereign immunity protects the public fisc unless the Legislature clearly says otherwise.

The teaching point here is this:

Florida courts are not going to stretch “injury or loss of property” to include abstract economic or privacy harms.

If there’s no tangible property damage, no bodily injury, no death—you are probably out.

Why the Contract Claim Fails

The plaintiffs tried a different angle: breach of contract.

They cobbled together various documents—the Patient’s Bill of Rights, HIPAA privacy notices, bylaws, codes of conduct—and argued that collectively they formed an “express contract.”

That argument runs straight into Pan-Am Tobacco Corp. v. Department of Corrections, which holds that the State can be sued in contract only on an express written contract.

Not implied. Not quasi. Not “it functioned like a contract.”

Express. Written. Contract.

The plaintiffs leaned on the Florida Supreme Court’s recent decision in Rojas v. University of Florida Board of Trustees, where a written financial liability agreement between students and a university was deemed enforceable.

But Rojas involved a document that looked like a contract, read like a contract, and contained binding language about payment obligations and venue.

HIPAA notices and patient-rights pamphlets are not that. They are regulatory compliance documents. They inform patients of statutory rights. They do not create bargained-for mutual obligations with contract enforcement language.

The Fourth District said so directly.

Two other important points the court reminded everyone of:

• HIPAA has no private cause of action (see Acara v. Banks).
• Section 381.026(3), Florida Statutes (Patient’s Bill of Rights), expressly says it does not create new civil remedies.

You cannot manufacture an express contract out of statutory compliance paperwork.

Why This Case Is a Big Deal

Here’s why Beck matters in real practice.

Data breaches are everywhere. Plaintiffs’ firms are filing class actions as a reflex. Against private companies, those cases at least get past the sovereign immunity hurdle.

Against Florida governmental entities, Beck makes clear that the runway is very short.

If your theory is:

“Our data has value and you diminished that value,”

or

“We spent money on credit monitoring,”

you are probably not getting past sovereign immunity.

Unless you can plead and prove:

• personal injury,
• tangible property damage, or
• a true express written contract,

you are likely facing dismissal with prejudice.

Judge Forst’s Special Concurrence

Judge Forst wrote separately to say that City of Pembroke Pines was “instructive” rather than strictly “controlling.” That’s doctrinal nuance. It does not change the outcome.

The bottom line remains the same.

What This Means for Lawyers

If you represent plaintiffs:

Before filing a data-breach suit against a Florida governmental entity, ask yourself whether sovereign immunity makes the case legally nonviable from day one. The statute is narrow. Courts will not expand it to accommodate modern privacy harms.

If you represent governmental entities:

Beck should be in your first motion to dismiss. Frame the damages as economic. Emphasize strict construction. Separate abstract informational harm from tangible property damage.

If you represent contractors or vendors dealing with public hospitals or districts:

Remember that “we’ll sue them” is not always a meaningful threat when sovereign immunity stands between the claim and recovery.

The Bigger Picture

Beck reinforces a broader pattern in Florida jurisprudence: courts are not going to let modern economic theories erode traditional sovereign immunity boundaries.

If the Legislature wants governmental entities exposed to broad data-breach liability, it can amend section 768.28.

Until that happens, Beck tells us exactly where the line is.

And it’s a hard line.