A federal appeals court has ruled that state officials violated the Fourth Amendment when they orchestrated the covert retrieval of documents from a nonprofit’s Dropbox folder, an outcome that significantly strengthens legal protections for digital privacy in cloud-based environments.
In a 25-page decision issued May 28, 2025, the US Court of Appeals for the Fifth Circuit held that The Heidi Group, a Texas-based pro-life healthcare organization, had a reasonable expectation of privacy in its digital files and that a state investigator’s role in acquiring them without judicial authorization amounted to an unconstitutional search.
We obtained a copy of the decision for you here.
Writing for the court, Judge Andrew S. Oldham emphasized that the constitutional right to be free from unreasonable searches extends to “the content of stored electronic communications,” including files housed in commercial cloud platforms.
“Heidi has a reasonable expectation of privacy in its documents and files uploaded to Dropbox,” the opinion stated. “Heidi’s records are analogous to letters, phone calls, emails, and social media messages: Each contains information content transmitted through or stored with an intermediary that is not intended to ‘be broadcast to the world.’”
The controversy arose after Phyllis Morgan, a former employee of The Heidi Group, exploited her lingering access to the organization’s Dropbox folder for nearly a year after being terminated.
Rather than reporting the breach or seeking lawful channels to obtain the data, a senior investigator from the Texas Health and Human Services Commission’s Office of Inspector General (OIG), Gaylon Dacus, allegedly encouraged the ex-employee to continue accessing the nonprofit’s confidential materials and forward them to the state.
According to the court, Dacus not only knew about the ongoing intrusion but explicitly supported it.
The opinion recounted how Morgan “informed Dacus that she had access to Heidi’s Dropbox account, despite having been terminated. Dacus, in response, specifically requested that Morgan ‘send’ him any new ‘information’ about Heidi.”
The court pointed to email exchanges where Dacus responded, “Thank you for the additional information. Much appreciated,” and later asked Morgan to confirm she “still” had “access to all [Heidi’s] information.”
Morgan eventually admitted to law enforcement that she “provided all the documents she obtained to the State, and that ‘everybody at the State’ knew she was accessing Heidi’s Dropbox.”
The Fifth Circuit rejected arguments that Heidi’s contractual obligations with the state permitted such intrusions, stating that it is “implausible to read these provisions to grant a freewheeling right to every Texas official to access all of Heidi’s records at any time, in any place, and in any way.”
The court added: “It would be absurd to say that this contract gave Texas officials the right to break into Heidi’s office at night and physically remove Heidi’s records. Likewise, it would be absurd to conclude that Texas officials had an unlimited right to surreptitiously break into Heidi’s online folders.”
While the court granted qualified immunity to two other officials who were not directly involved in the unauthorized data access, it denied that protection to Dacus.
His actions, the court concluded, violated “clearly established” law regarding the Fourth Amendment. “Dacus’s conduct is precisely the type of ‘arbitrary invasion’ of privacy the Fourth Amendment was meant to protect against,” the opinion stated, citing Carpenter v. United States.
In addition, the court rejected the officials’ claim to immunity under Texas law for allegedly violating the state’s computer access statute. The ruling found that the actions of Dacus and others did not meet the standard of “good faith” required for such immunity.
“This was not a good-faith act,” the court declared, noting that “officials could have requested that Heidi send its documents to the State. Or they could have obtained a subpoena ordering Heidi to do so. But instead… chose to use an ex-employee to surreptitiously retrieve Heidi’s documents.”
The court’s reasoning also included a strong rebuke of attempts to stretch the third-party doctrine to cover such activity.
“The government cannot access the content of Heidi’s documents and files without implicating the Fourth Amendment,” the panel wrote, pointing out that Dropbox’s role as a storage provider did not eliminate Heidi’s privacy interest in the content.
This decision is expected to have far-reaching implications for digital privacy, especially for entities storing sensitive information in cloud-based services. It affirms that constitutional protections remain firmly in place even when data resides on third-party servers, so long as that data is not voluntarily exposed to the public.
“The Fourth Amendment does not countenance such conduct,” the ruling concluded.