Data breaches involving Protected Health Information (“PHI”) are increasing, subjecting healthcare organizations and the software companies that support them to greater legal scrutiny. As hospitals, insurers, and medical providers depend on third-party platforms to store and transmit PHI, plaintiffs’ lawyers are more frequently testing theories of product liability and negligence against software developers and vendors whose products fail to prevent or detect cyber intrusions.
The Stakes of PHI Protection
PHI encompasses any individually identifiable information related to a patient’s health or treatment—whether stored electronically, written, or verbal—and its protection is mandated by the HIPAA Privacy Rule. Healthcare organizations are attractive targets because PHI commands a premium on the black market.
Under HIPAA, covered entities and their business associates must keep certain documents for at least six years from the date they are created or from the last effective date, whichever is later. In Alabama, retention laws are more strict: general medical records must be kept for at least seven years from the patient’s last contact with the physician.
This extended retention period expands the amount of data—and potential liability—for both healthcare providers and the software vendors managing their systems.
The Litigation Landscape: Duty, Data, and Duration
The increase in PHI breaches has fueled a parallel rise in litigation. Plaintiffs argue that healthcare entities (and, increasingly, their vendors) expose patients to unnecessary risk by storing data long after its operational usefulness expires. Yet, those entities cannot simply delete data at will; they must comply with a web of federal, state, and contractual retention mandates.
A recent decision highlights how courts are dealing with these claims. In *Griggs v. NHS Mgmt., LLC*, No. SC-2023-0784, 2024 Ala. LEXIS 191, at 1 (Nov. 15, 2024), NHS—a management company for rehabilitation facilities and nursing homes—found a breach in May 2021 but did not notify affected individuals until March 2022. The plaintiff claimed exposure of medical and social security data, leading to fraudulent activity and the need for credit monitoring, and filed a class action alleging negligence and negligence per se.
The Alabama Supreme Court rejected her claims, holding that Griggs failed to cite legal authority establishing a duty for NHS to protect employee information from a cyberattack. The Court further found that the Alabama Data Breach Notification Act did not create a private cause of action or establish a common-law duty. Furthermore, under Alabama law, employers are generally not obligated to safeguard employees’ personal data from third-party criminal acts unless there are “extraordinary circumstances or a special relationship.” See Carroll v. Shoney’s, Inc., 775 So. 2d 753, 755–56 (Ala. 2000). For her negligence per se claim, the Court found no evidence that the statutes cited were intended to protect her as a member of the relevant class.
Why Software Companies Should Take Notice
While Griggs involved an employer and its employees, the reasoning has clear implications for vendors and technology companies whose platforms manage PHI. Plaintiffs may seek to extend negligence and product liability theories—arguing that design defects, inadequate encryption, or failure to warn about security vulnerabilities constitute breaches of duty.
As courts and regulators increasingly focus on “reasonable security” expectations, vendors that provide electronic health record (EHR) systems, billing platforms, or cloud-based storage solutions could face claims akin to those traditionally reserved for defective medical devices or physical products.
Proactive Safeguards and Litigation Readiness
PHI breaches can occur in various ways, including phishing, ransomware, stolen credentials, or misconfigured security settings. The consequences can be severe, including regulatory penalties, class action lawsuits, and damage to reputation that affects both healthcare providers and their vendors.
Organizations and software developers alike should implement:
- Technical safeguards — network monitoring, encryption, and multi-factor authentication (MFA).
- Administrative safeguards — employee training, incident response plans, and third-party security audits.
- Physical safeguards — restricted server access, secure device disposal, and encryption on all laptops and mobile devices.
The Takeaway
Cybersecurity failures in the healthcare sector are no longer just compliance issues—they now serve as triggers for litigation. As PHI breaches continue to develop, so will plaintiffs’ theories of liability. Healthcare organizations and their software partners should see cybersecurity not just as an IT task, but as a vital part of product safety and legal risk management.
About Christian & Small
Christian & Small LLP represents a diverse clientele throughout Alabama, the Southeast, and the nation with clients ranging from individuals and closely held businesses to Fortune 500 corporations. By matching highly experienced lawyers with specific client needs, Christian & Small develops innovative, effective, and efficient solutions for clients. With offices in Birmingham, metro-Jackson, Mississippi, and the Gulf Coast, Christian & Small focuses on the areas of litigation and business, is a member of the International Society of Primerus Law Firms, and is a Mansfield Rule™ Certified Plus Law Firm. Our corporate social responsibility program is focused on education, and diversity is one of Christian & Small’s core values. Please visit www.csattorneys.com for more information.
No representation is made that the quality of legal services to be performed is greater than the quality of legal services performed by other lawyers.