Healthcorp is still liable, you can subcontract a job, but uou can't subcontract the responsibillity.

What I mean is that Healthcorp should have procedures to test the backup, and as soon as it failed, they should inform the government.

It can also be asked, why Healthcorp only had one backup of the data, when it is best practice to have a 3-2-1 backup system, if Archivetopia offered a service as a 3-2-1 solution, why didn't Healthcorp select that? If they did why didn't they verify the claims of the service?

At the end, Healthcorp would get hit with a fine, but they in turn could sue Archivetopia for breach of contract.

That may be the beginning of a chain of lawsuits starting with Healthcorp because the first breach of contract would be between them and the patient. They would then bring a lawsuit against the contractor for their failures that breached contract between companies.

This is guesswork, mind you and if someone has a sure answer I'd be interested in knowing. Great question!

Unless Healthcorp can be shown to have contributed to the loss of data, I would think Archivetopia will take the full blame. For example, if they knew Archivetopia was prone to losing data and had a good chance of losing their data then perhaps they could also share in the liability.

Who is liable in this case?

What country did this happen in?

Without this all the answers will be useless if the person answering lives somewhere you don't.

I'm not a lawyer, but I think this would be on archivetopia. I think the question would be whether healthcorp had taken reasonable care to preserve these records, or had been negligent by leaving them entirely in the hands of archivetopia. It seems to me that the former would be the case, and that archivetopia has failed to appropriately safeguard those files, if a random employee can delete them without any procedures in place to prevent that or to keep additional backups.

Obviously there are multiple points of failure here - any one out of healthcorp, archivetopia, or the employee could have acted differently to prevent this. But if healthcorp had a reasonable expectation that handing these documents over to archivetopia would meet their obligations to preserve them, they should be in the clear - just as they would be if their document warehouse met all health and safety regulations but somehow burned down anyway. In both cases, they did what they could but events beyond their control resulted in data loss. In both cases, there is still a question about reasonable care: Did their warehouse meet all safety requirements? Did they have good reason to believe that these documents would be safe with archivetopia? If the answer to those questions is no, they are still at fault. If yes, they are in the clear.

On top of this, archivetopia is certainly at fault (multiple parties may be in the wrong here). And of course, the employee is at fault, although I don't know if they'd be legally culpable or if it would be an internal matter.

Not a conclusive answer, but I hope this helps to clarify some of the considerations involved.