419 So.3d 12
Ala.2024Background
- Shymikka Griggs, a former employee of NHS Management, LLC (a consulting firm for nursing homes), sued NHS for a 2021 data breach in which sensitive personal and health data was compromised by cybercriminals.
- Griggs alleged that her personal information was leaked, leading to spam messages, fraudulent credit inquiries, and apparent identity theft, and she sought to represent a class of similarly affected individuals.
- Her claims included negligence, negligence per se, breach of contract, invasion of privacy, unjust enrichment, breach of confidence, breach of fiduciary duty, and violation of the Alabama Deceptive Trade Practices Act.
- The Jefferson Circuit Court dismissed her case with prejudice for failure to state a claim under Rule 12(b)(6), Ala. R. Civ. P.
- On appeal, the Supreme Court of Alabama affirmed, focusing on whether Griggs's complaint sufficiently pleaded her claims and whether legal authority supported her arguments.
Issues
| Issue | Plaintiff’s Argument | Defendant’s Argument | Held |
|---|---|---|---|
| Negligence Duty | NHS owed duty under HIPAA and common law to protect data | No legal authority that such a duty exists; duty not sufficiently pleaded | Griggs failed to cite sufficient authority; claim insufficient |
| Negligence Per Se | NHS’s HIPAA/FTCA violations establish duty and breach | No private right of action under these statutes; lack of proximate causation | Griggs did not sufficiently plead all required elements |
| Invasion of Privacy | NHS's failure to protect info is highly offensive and actionable | Must show intentional conduct, which is not alleged | No intentional act pleaded; claim fails |
| Unjust Enrichment | Wages included payment for data security NHS failed to provide | No benefit conferred specifically for data security | Allegations insufficient for unjust enrichment |
| Breach of Confidence | NHS failed to secure data entrusted by Griggs | Breach of confidence not recognized under AL law; no affirmative disclosure | Not a recognized claim, and no disclosure alleged |
| Breach of Fiduciary Duty | Special relationship due to NHS’s possession of data | No fiduciary relationship between employer and employee | No authority for exception to general rule; argument waived |
Key Cases Cited
- Davis v. Sterne, Agee & Leach, Inc., 965 So. 2d 1076 (Ala. 2007) (insufficient briefing when only general elements without supporting authority are cited)
- S.B. v. Saint James Sch., 959 So. 2d 72 (Ala. 2006) (necessity of citing specific authority for each pleading element on appeal)
- Prill v. Marrone, 23 So. 3d 1 (Ala. 2009) (standard elements of negligence claim under Alabama law)
- Carroll v. Shoney's, Inc., 775 So. 2d 753 (Ala. 2000) (limited duty of employer for third-party criminal acts; duty only in exceptional circumstances)
- Miller v. SCI Sys., Inc., 479 So. 2d 718 (Ala. 1985) (general rule that employer is not a fiduciary of employee)
- Nance v. Matthews, 622 So. 2d 297 (Ala. 1993) (Rule 12(b)(6) dismissal standard)
