Surreptitious Electronic Searches via Private Intermediaries Violate the Fourth Amendment: Agent Liability Established in Heidi Group v. Texas Health and Human Services

Introduction

The Fifth Circuit’s decision in The Heidi Group, Inc. v. Texas Health and Human Services Commission (No. 23-50303, May 28, 2025) addresses two overlapping legal questions: (1) whether government officials may evade the Fourth Amendment by using a private individual to obtain confidential corporate files, and (2) whether Texas state‐law immunities protect those officials from suit. The Heidi Group (“Heidi”) is a pro-life clinic network that contracted with the Texas Health and Human Services Commission (“THHSC”) to participate in two state-funded, abortion-alternative programs. After audit disputes and negative media publicity, THHSC terminated Heidi’s contracts “for convenience.” Separately, a former Heidi employee, Phyllis Morgan, retained access to Heidi’s Dropbox folder and shared confidential clinic documents—at the behest and encouragement of OIG officials, including investigator Gaylon Dacus. Heidi sued, bringing (i) a § 1983 claim for Fourth Amendment violations against Dacus (and two other OIG officers) in their individual capacities, (ii) an official-capacity § 1983 claim seeking injunctive relief, (iii) a state-law tort claim under Tex. Civ. Prac. & Rem. Code § 143.001 for “unlawful access” to its computer systems, and (iv) a state-law religious-discrimination claim under Tex. Civ. Prac. & Rem. Code § 106.001.

Summary of the Judgment

The Fifth Circuit:

• Dismissed for lack of appellate jurisdiction all claims against THHSC, OIG and the officials in their official capacities (the § 106.001 religious-discrimination claim and the § 1983 injunctive claim).
• Reversed the denial of judgment on the pleadings as to the individual-capacity § 1983 claim against Dirk Johnson and Jennifer Kaufman, finding no state action or plausible conspiracy allegations against them.
• Affirmed the denial of judgment on the pleadings as to the § 1983 Fourth Amendment claim against Gaylon Dacus, holding (1) Dacus acted under “color of state law” by using Morgan as a government agent, (2) her Dropbox searches constituted a “search” under the Fourth Amendment, (3) no qualified immunity shielded Dacus, and (4) the “third-party doctrine” did not defeat Heidi’s reasonable expectation of privacy in its files.
• Affirmed the denial of Texas official-immunity on the unlawful-access claim against Johnson, Kaufman, and Dacus under Tex. Penal Code § 33.02(a) and the private-enforcement statute, Tex. Civ. Prac. & Rem. Code § 143.001.

Analysis

Precedents Cited

• Katz v. United States, 389 U.S. 347 (1967) – established that a warrantless intrusion on a private telephone conversation is a Fourth Amendment search; introduced the “reasonable expectation of privacy” test.
• Ex parte Jackson, 96 U.S. 727 (1878) – held the contents of sealed letters in the mail are protected by the Fourth Amendment, even though letters’ outward form (weight and shape) may be inspected.
• United States v. Miller, 425 U.S. 435 (1976) – held a bank customer lacks a Fourth Amendment interest in bank‐held records, but distinguished “negotiable instruments” from private communications.
• California v. Patel, 576 U.S. 409 (2015) – required precompliance review by a neutral arbiter for administrative searches of business records; a naked administrative demand without judicial oversight violates the Fourth Amendment.
• United States v. Bazan, 807 F.2d 1200 (5th Cir. 1986) and United States v. Miller, 688 F.2d 652 (9th Cir. 1982) – developed multifactor tests to determine when a private person acts as a government agent for Fourth Amendment purposes.
• Swint v. Chambers County Commission, 514 U.S. 35 (1995) – described the narrow scope of the collateral‐order doctrine and the conditions for pendent appellate jurisdiction.
• Mitchell v. Forsyth, 472 U.S. 511 (1985) – held that denial of qualified immunity is immediately appealable as a collateral order because the immunity from suit is “effectively lost” if the case proceeds to trial.
• City of Lancaster v. Chambers, 883 S.W.2d 650 (Tex. 1994) and Ballantyne v. Champion Builders, 144 S.W.3d 417 (Tex. 2004) – set out the standard for Texas official immunity (discretionary act; good faith; scope of authority).

Legal Reasoning

State Action via Private Intermediary

The Fourth Amendment bars only “governmental action,” but the Fifth Circuit has long held that when a government official “encourages” or “acquiesces in” a private individual’s intrusive conduct, that private person acts as a state agent. Under both the Miller test (knowledge/acquiescence + intent to assist law enforcement) and the Bazan test (government initiation + specific knowledge + (optional) compensation), investigator Dacus’s repeated requests to Morgan to “send” him confidential files converted her into a state actor. The court found sufficient allegations that Dacus (1) knew Morgan still had Dropbox access after termination, (2) repeatedly encouraged her to retrieve more documents, and (3) thanked her for providing those materials.

The Search and Reasonable Expectation of Privacy

Heidi’s confidential business records and patient‐care documents (stored in a password-protected cloud folder) are the functional equivalent of sealed letters or emails—content that remains private even when transmitted or stored by a third-party intermediary (Dropbox). The “third-party doctrine” does not extend to the content of documents not exposed to the public. Nor did Heidi’s contract with THHSC grant an unfettered license to break‐in, spy, or hack: it envisioned cooperative exams or subpoenas, not clandestine electronic breaching. Because Dacus never sought a subpoena or provided any precompliance process, his collusive workaround violated Patel’s requirement of neutral, pre-search review.

Qualified Immunity

Qualified immunity protects officials when they do not violate clearly established rights of which a reasonable officer would have known. Here, the Fifth Circuit found that no reasonable official could have believed it lawful to induce a private person to clandestinely breach a contractor’s cloud storage—especially given the robust line of Supreme Court and Fifth Circuit precedents (Katz, Jackson, Patel) on electronic and administrative searches. Thus Dacus is not entitled to qualified immunity; Johnson and Kaufman are entitled to immunity only because Heidi’s complaint did not plausibly allege their involvement in the plot or any state action by them.

Pendent and Collateral Jurisdiction

The court applied the collateral-order doctrine to hold that (i) denials of qualified immunity and Texas official immunity are immediately appealable, but (ii) official-capacity claims and purely state-law claims against the sovereign are not subject to interlocutory appellate review unless “inextricably intertwined” or “necessary for meaningful review.” Finding none of the narrow bases for pendent jurisdiction, the Fifth Circuit dismissed the appeals of THHSC, OIG, and the officials in their official capacities.

Impact

This decision clarifies and extends Fourth Amendment protection in three key respects:

1. It affirms that the Fourth Amendment reaches private-actor searches when the government uses a third party as its proxy, closing a potential loophole for “surveillance by proxy.”
2. It emphasizes that cloud-hosted, password-protected business records enjoy the same constitutional shield as sealed letters, emails, and traditional corporate books and records—regardless of the involvement of a third-party storage provider.
3. It underscores that state actors must follow established administrative-search procedures (e.g., subpoenas, precompliance review) rather than resort to stealth tactics if they wish to inspect a contractor’s data for audit or investigatory purposes.

Future litigants and agencies should note that secrecy cannot substitute for judicial oversight, and conspiratorial misuse of private intermediaries invites both federal constitutional liability and state-law tort remedies.

Complex Concepts Simplified

• State Action by Proxy: If a government official knowingly asks a private person to perform an intrusive act (e.g., hacking or copying files), that private person is treated as acting for the government. The Fourth Amendment thus applies to their conduct.
• Reasonable Expectation of Privacy: You can’t shield your letters from the post office—but the contents of sealed letters or private emails remain protected, even though a third party carries or stores them.
• Administrative Search vs. Criminal Search: An administrative search (e.g., a health-and-safety or contract audit) generally requires only a subpoena and limited procedural safeguards. But it still demands notice and an opportunity to challenge the demand before a neutral decision-maker.
• Qualified Immunity: Government officials are shielded from damages suits unless they infringe a right that was clearly established at the time of conduct—“clearly established” means a court had already held that identical or similar conduct is unconstitutional.
• Collateral‐Order Doctrine: Some rulings (like denying an immunity defense) are immediately appealable, even though the case is not over, because those issues would be effectively lost if the case continued to trial.

Conclusion

The Fifth Circuit’s ruling in Heidi Group v. Texas Health and Human Services marks a milestone in Fourth Amendment jurisprudence for the digital age. It reaffirms that government actors cannot circumvent privacy rights by deputizing private intermediaries or ex-employees, and it reinforces the necessity of judicial or administrative process before accessing private corporate data. State officials must respect both federal constitutional protections and Texas’s own tort immunities when investigating contractors. This decision will guide future disputes over cloud-based records, digital audits, and the lawful boundaries of governmental oversight.