Your Medical Records Disappeared. Now What?

Imagine walking into your therapist’s office or your doctor’s clinic and hearing five words that stop you cold: “We can’t find your records.” Not misplaced in a filing cabinet somewhere. Not delayed by a slow system. Gone. Locked behind a wall of encrypted code by a criminal organization operating from the other side of the planet. For roughly 5.6 million patients across the Ascension Health network, that scenario became terrifyingly real in May 2024. And for those of us living and working in the Birmingham metro, the fallout landed right in our backyard.

This is not a story about distant hacking. This is a story about what happens to real people in Trussville, Pell City, Blount County, and downtown Birmingham when a hospital system’s digital nervous system is severed overnight. It is a story about your rights when that happens. And it is a story about what every person receiving healthcare in Alabama should understand right now, because the rules governing your medical data are about to change dramatically.

What Actually Happened at Ascension St. Vincent’s

In May 2024, a single employee within the massive Ascension Health system accidentally downloaded a malicious file. That one click triggered a ransomware attack so severe that the organization had to disconnect its primary clinical networks across the entire country. Here in central Alabama, that meant Ascension St. Vincent’s facilities in Birmingham, Trussville, Pell City, Chilton County, Blount County, and St. Clair lost access to their Epic electronic health record system, their patient portals, and their internal communications. Nurses and doctors were forced to chart by hand. Imaging departments could not transmit MRI or CT results electronically. Several emergency departments went on divert status, meaning ambulances carrying critically ill patients had to be rerouted to other hospitals across the metro area.

Think about the psychological weight of that for a moment. You are a patient in labor, or you are having chest pains, or your child is running a high fever, and the ambulance is told it cannot take you to the nearest hospital. The ripple effects on patient trust, on the felt sense of safety within a healthcare relationship, are enormous. From a somatic and trauma-informed perspective, these are not abstract institutional failures. They register in the body as threats to survival.

The Financial Collapse That Reshaped Birmingham Healthcare

The numbers tell a staggering story. Ascension Health had been on the mend financially, trimming its operating loss from $1.9 billion in fiscal year 2023 down to $332 million in the ten months before the attack hit. Then the ransomware detonated, and everything reversed. Patient volumes dropped between 8% and 12% in May and June alone as elective surgeries were canceled and insurance claims could not be processed. By the end of fiscal year 2024, Ascension reported a net loss of approximately $1.1 billion.

The instability was so profound that it catalyzed one of the most significant healthcare transactions in Alabama history. On November 1, 2024, the UAB Health System Authority finalized a $450 million acquisition of Ascension’s central Alabama hospitals, rebranding them as UAB St. Vincent’s. UAB has since committed an additional $380 million to migrate all its entities to a unified Epic electronic health record platform over the next seven years. That migration is genuinely good news for long-term care coordination. But it also means that thousands of paper records generated during the ransomware downtime must now be manually digitized and reconciled, a process that anyone who has worked in clinical documentation knows is ripe for transcription errors and data gaps.

The “Missing Record” Problem and Why It Matters for Therapy Clients

Here is where this story intersects directly with mental health and psychotherapy. When a hospital system goes dark, the records that vanish or degrade are not just billing codes and insurance numbers. They include psychiatric histories, medication lists, allergy profiles, trauma assessments, and years of carefully documented clinical narratives. For someone engaged in long-term therapy for complex trauma, the integrity of that record is not a bureaucratic nicety. It is a lifeline. A missing medication history can lead to dangerous drug interactions. A lost psychiatric evaluation can mean starting over from scratch with a new provider who has no context for your treatment.

The psychological impact compounds the clinical one. Having your most vulnerable disclosures, the things you told a provider in confidence about your history, your symptoms, your fears, suddenly become part of a data breach affecting millions of people is a violation that operates on a deeply personal level. It can reactivate the very feelings of powerlessness and betrayal that brought someone into therapy in the first place. For clinicians practicing from a Brainspotting or Somatic Experiencing framework, this kind of institutional rupture is not merely annoying. It is a potential re-traumatization event that deserves clinical attention.

Your Federal Rights Under HIPAA: What Birmingham Patients Need to Know

If you have ever been told by a healthcare provider in Alabama that your records are “unavailable” or “lost” following a cyberattack, you should know that federal law has something to say about that. The HIPAA Privacy Rule grants every patient a Right of Access to their medical records, and that right does not evaporate because a hospital got hacked.

Under the Privacy Rule, a healthcare provider must furnish your records within 30 days of your written request. Federal guidance from the HHS Office for Civil Rights (OCR) makes clear that a cybersecurity incident does not excuse a covered entity from its obligation to maintain access to your protected health information. Beyond that, the HIPAA Security Rule requires providers to keep what amounts to exact copies of patient data and to have emergency continuity plans in place. If a hospital tells you that your records were permanently destroyed in a ransomware attack, that statement is functionally an admission that the institution failed to maintain adequate backups, which is itself a regulatory violation.

The OCR has not been shy about enforcing these requirements. By early 2026, the agency had settled more than 50 cases under its dedicated Right of Access enforcement initiative. A December 2025 settlement with Concentra, Inc. for $112,500 demonstrated that even a single patient’s repeated, unanswered requests for records can trigger significant federal consequences. Other enforcement actions have resulted in penalties ranging from $10,000 to $200,000, with the common thread being that providers who ignore or delay access requests will eventually face scrutiny.

The Alabama Case That Changed Everything: Springhill Memorial and Cyber-Malpractice

Perhaps the most consequential legal development in this entire space originated right here in Alabama. In 2019, Springhill Memorial Hospital in Mobile was struck by a ransomware attack that disabled its fetal monitoring systems. A mother named Teiranni Kidd was in labor during the disruption. She later alleged that because the monitoring equipment could not communicate with the central nurse station, clinical staff failed to detect signs of fetal distress. The delay in performing an emergency Caesarean section allegedly caused the baby to suffer severe brain damage. The child passed away nine months later.

This case, widely covered in cybersecurity and legal journalism, represents the first time a United States court entertained the theory that a hospital’s failure to maintain its IT security could be the proximate cause of a patient’s death. While a settlement was reportedly reached in April 2024, the legal precedent is already reverberating through the field.

Then, on April 8, 2025, the Alabama Supreme Court weighed in on a related petition in Ex parte Springhill Hospitals, Inc. The hospital had argued it should be shielded from liability under Governor Kay Ivey’s 2020 COVID-19 emergency proclamations and the Alabama Coronavirus Immunity Act. The Supreme Court rejected that argument, ruling that pandemic immunity requires a specific causal link between the alleged negligence and a pandemic-related resource shortage. In plain language, a hospital cannot hide behind COVID to avoid accountability for cybersecurity failures. That ruling keeps the door wide open for what legal scholars are calling “cyber-malpractice” claims in Alabama courts.

The Nationwide Wave of Class-Action Settlements

Individual malpractice cases like the Springhill tragedy address one patient’s harm. Class-action lawsuits address the collective damage inflicted on entire patient populations when a system fails to protect their data. Recent settlements across the country have sent a clear signal that courts and juries take these claims seriously.

NextGen Healthcare settled for $19.4 million after failing to encrypt patient data despite a prior breach. McLaren Health Care in Michigan agreed to $14 million after suffering back-to-back ransomware attacks in 2023 and 2024, with plaintiffs arguing the second attack demonstrated a willful refusal to learn from the first. Norton Healthcare settled for $11 million following a BlackCat ransomware attack that affected 2.5 million individuals. And closer to home, Alabama Cardiovascular Group settled for $2.2 million after unauthorized access compromised the protected health information and personally identifiable information of nearly 37,000 patients.

The legal theories driving these cases are worth understanding. Plaintiffs typically argue negligence, claiming the hospital failed to implement industry-standard protections like multi-factor authentication. They argue breach of implied contract, asserting that paying for medical services includes an implicit agreement that data will be stored securely. They argue unjust enrichment, suggesting the hospital prioritized profits over necessary cybersecurity spending. And they argue negligence per se, pointing to specific regulatory violations as automatic evidence of a breached standard of care.

The 2026 HIPAA Overhaul: The Rules Are About to Get Much Stricter

The Department of Health and Human Services is currently rolling out the most significant update to the HIPAA Security Rule since its inception. These changes, expected to be fully enforceable by late 2026 or early 2027, will reshape the legal landscape for every healthcare provider in the country, from massive hospital systems down to solo therapy practices.

The most significant structural change is the elimination of the old distinction between “required” and “addressable” safeguards. Previously, smaller practices could argue that certain security measures were too costly to implement and substitute what they considered equivalent alternatives. Under the new framework, that flexibility disappears. Every covered entity will be held to the same mandatory technical standards. For therapy practices in Birmingham and across Alabama, this means that the security expectations applied to UAB Health System will also apply to your two-person counseling office.

The proposed rule centers on three non-negotiable pillars. First, universal multi-factor authentication across all systems that touch protected health information, including internal EHR logins and billing platforms, not just remote access portals. The OCR has identified the absence of MFA as the single most commonly exploited vulnerability in recent healthcare attacks. Second, standardized encryption for data at rest and in transit, meeting NIST-approved benchmarks. Third, a 72-hour restoration requirement, meaning providers must not only maintain backups but must demonstrate through regular testing that they can restore their entire critical clinical network within three days of a disaster.

What This Means for You in Birmingham

If you are a patient receiving therapy or medical care in the Birmingham area, here is the takeaway. Your medical records are not just administrative paperwork. They are a legal document that your provider is federally obligated to protect and to make available to you upon request. If a cyberattack compromises those records, you have rights under HIPAA, and the enforcement landscape around those rights is becoming more aggressive every year.

If you are a clinician or a healthcare administrator, the message is equally direct. The era of treating cybersecurity as an IT department problem rather than a clinical care and legal liability issue is over. The Springhill case in Mobile demonstrated that a failure in IT security can be legally treated as a failure in patient care. The Alabama Supreme Court has clarified that pandemic-era immunity will not cover unrelated negligence. The forthcoming HIPAA updates will mandate specific technical controls that carry real penalties for non-compliance. And the threat intelligence data shows that healthcare remains the most targeted sector, with the average cost of a breach now exceeding $11 million and attackers dwelling undetected in hospital networks for an average of 241 days.

For those of us in the mental health field, there is an additional dimension to consider. The therapeutic relationship depends on trust, and trust depends on the client’s belief that what they share in session remains protected. When a breach shatters that belief, it does not just create a legal problem. It creates a clinical one. Attending to that rupture, naming it, processing it within the therapeutic frame, is part of the work. At Taproot Therapy Collective, we take the security of client information as seriously as we take the clinical work itself, because in a very real sense, they are inseparable.

Legal Disclaimer: The information presented in this article is intended for educational and informational purposes only. It does not constitute legal advice, and no attorney-client relationship is created by reading this content. The author is a licensed clinical social worker, not an attorney. The legal analysis and regulatory discussion contained herein represent general commentary and informed speculation about trends in healthcare law and cybersecurity regulation. If you believe your medical records have been compromised, if you have been affected by a healthcare data breach, or if you have questions about your specific legal rights under HIPAA or Alabama state law, you should consult a qualified attorney who specializes in healthcare law, data privacy, or medical malpractice. Nothing in this article should be relied upon as a substitute for professional legal counsel tailored to your individual circumstances.

Joel Blackstock, LICSW-S, is the Clinical Director of Taproot Therapy Collective in Hoover, Alabama, specializing in complex trauma treatment, qEEG brain mapping, and neuroscience-informed psychotherapy.