Navvis & Company; SSM Health Agree to $6.5 Million Data Breach Settlement
Navvis & Company and SSM Health Care Corporation have agreed to a $6.5 million settlement to resolve all claims related to a 2023 data breach that affected 2.8 million individuals. Navvis & Company is a population health company that partners with health systems, physician enterprises, & health plans to help them with value-based care. SSM Health is a healthcare provider serving patients in Illinois, Missouri, Oklahoma, and Wisconsin. Between July 12, 2023, and July 25, 2023, a cybercriminal group had access to the network of Navvis & Company, exfiltrated sensitive data, and used ransomware to encrypt files. The stolen data included the protected health information of patients and plan members of SSM Health, Arkansas Health Network, Horizon Blue Cross Blue Shield of New Jersey, RWJBH Corporate Services, Hawai’i Medical Service Association, Triple-S Management Corporation, Allina Health, and Florida Medical Clinic.
The forensic investigation confirmed that approximately 2.8 million individuals had their data exposed or stolen in the incident, including names, dates of birth, Social Security numbers, beneficiary HIC numbers, case identification numbers, health plan information, health record information, medical record numbers, diagnosis/clinical information, medical treatment/procedure information, and health insurance information. Notification letters were mailed to the affected individuals on a rolling basis between September 22, 2023, and June 4, 2024.
At least six lawsuits were filed against Navvis & Company and others in response to the data breach. Since the lawsuits asserted similar claims and were based on the same facts, they were consolidated into a single class action complaint. That complaint was filed on March 11, 2024, in the Circuit Court of St. Louis, Missouri – Doe, et al. v. SSM Health Care Corporation d/b/a SSM Health, et al.
The lawsuit claimed the defendants were negligent by failing to implement reasonable and appropriate safeguards to prevent unauthorized access to patient data, and if reasonable security measures had been implemented, the data breach could have been prevented. The plaintiffs claimed to have suffered a range of harms as a result of the theft of their sensitive data. The defendants deny each and every claim and contention in the litigation and deny all wrongdoing and liability; however, they concluded that the litigation would likely be protracted and expensive, and combined with the uncertainty and risks associated with any litigation, the decision was taken to negotiate a settlement.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Under the terms of the settlement, a $6,500,000 settlement fund will be established to cover class members’ claims, attorneys’ fees, class representative awards, and legal costs and expenses. Class members may submit a claim for up to $2,000 for reimbursement of documented ordinary losses incurred as a result of the data breach, which may include losses such as bank fees, communication charges, travel expenses, and credit monitoring costs. In addition, claims may be submitted for up to $5,000 as reimbursement for documented extraordinary losses, such as losses to identity theft and fraud. Class members are also entitled to receive a pro rata cash payment, which will be paid once all claims, costs, and expenses have been deducted from the settlement fund. The amount will depend on the number of valid claims received. All class members are also entitled to two years of three-bureau credit monitoring services.
The settlement has received preliminary approval from the court, and the final approval hearing is scheduled for July 10, 2025. The deadline for exclusion from and objection to the settlement is June 6, 2025, and the deadline for submitting claims is July 7, 2025.
