If you are in a hurry -> Lessons and Best Practices

Introduction

In late April 2025 it was reported that St. Louis-based SSM Health Care Corporation and its vendor Navvis & Company, LLC agreed to a $6.5 million class-action settlement over a ransomware-driven data breach (SSM Health, Navvis reach $6.5M data breach settlement - Becker's Hospital Review | Healthcare News & Analysis) ($6.5M Navvis, SSM Health data breach class action settlement).

The incident, which occurred from July 12 to July 25, 2023, involved unauthorized access to Navvis’s network and the deployment of ransomware, compromising sensitive personal and health information for approximately 2.8 million current and former SSM Health patients (John Doe et al. v. SSM Health Care Corporation d/b/a SSM Health et al. – Circuit Court of the City of St. Louis, State of Missouri | Case No. 2422-CC00208-01) (SSM Health $6.5M Data Breach Class Action Settlement).

Navvis is a population health management firm that works closely with SSM Health across Illinois, Missouri, Oklahoma and Wisconsin ($6.5M Navvis, SSM Health data breach class action settlement).

Both Navvis and SSM Health have denied wrongdoing, but they agreed to the settlement “to resolve all claims related to the 2023 data breach” (John Doe et al. v. SSM Health Care Corporation d/b/a SSM Health et al. – Circuit Court of the City of St. Louis, State of Missouri | Case No. 2422-CC00208-01) ($6.5M Navvis, SSM Health data breach class action settlement).

The Data Breach Incident

According to the settlement documents and news reports, the breach was caused by an attacker (or attackers) gaining unauthorized access to Navvis’s systems and deploying ransomware (John Doe et al. v. SSM Health Care Corporation d/b/a SSM Health et al. – Circuit Court of the City of St. Louis, State of Missouri | Case No. 2422-CC00208-01) (SSM Health $6.5M Data Breach Class Action Settlement).

The attack was discovered (or “learned of”) by Navvis around July 25, 2023, though it spanned nearly two weeks in mid-July (doe-et-al-v-ssm-health-care-corporation-et-al-settlement-agreement) (SSM Health, Navvis reach $6.5M data breach settlement - Becker's Hospital Review | Healthcare News & Analysis).

The stolen data reportedly included a wide range of highly sensitive information – names, dates of birth, Social Security and Medicare HIC numbers, insurance and medical record data, diagnoses, provider details, and other patient identifiers (doe-et-al-v-ssm-health-care-corporation-et-al-settlement-agreement) (doe-et-al-v-ssm-health-care-corporation-et-al-consolidated-complaint).

In short, the breach exposed protected health information (PHI) for millions of patients.

Importantly, Navvis did not immediately notify affected individuals.

Plaintiffs allege Navvis waited from the time of discovery in July 2023 until December 29, 2023 to begin sending breach-notification letters (doe-et-al-v-ssm-health-care-corporation-et-al-consolidated-complaint).

Notices continued into early 2024 (some as late as February 9, 2024), meaning many victims remained unaware for about seven months that their data had been stolen (doe-et-al-v-ssm-health-care-corporation-et-al-consolidated-complaint).

As a result, individuals “had no idea their Private Information had been stolen” and continued to face significant risk of identity theft or fraud (doe-et-al-v-ssm-health-care-corporation-et-al-consolidated-complaint).

This long delay in notification – along with the extensive data compromised – underscores key failings in Navvis’s incident response and security monitoring.

Plaintiffs and Legal Claims

The class action (styled John Doe, et al. v. SSM Health Care Corporation d/b/a SSM Health, et al., Case No. 2422-CC00208-01, in St. Louis, MO) is brought by affected patients (identified as class representatives “John Doe” and “Jane Doe” to protect privacy) ($6.5M Navvis, SSM Health data breach class action settlement).

(A related federal class action consolidated numerous cases, with named plaintiffs from multiple states including Missouri, Florida, Illinois and Wisconsin (doe-et-al-v-ssm-health-care-corporation-et-al-consolidated-complaint) (doe-et-al-v-ssm-health-care-corporation-et-al-consolidated-complaint).)

In essence, the plaintiffs contend that Navvis and SSM (as a Navvis customer) negligently failed to safeguard patient data and comply with cybersecurity norms.

Key allegations include:

• Negligence and Negligence Per Se: Plaintiffs allege Navvis owed a duty to protect patient information but breached it by failing to maintain reasonable security measures. The complaint explicitly states Navvis’s conduct “amounts to negligence and violates federal and state statutes and guidelines” (doe-et-al-v-ssm-health-care-corporation-et-al-consolidated-complaint). (In particular, reference is made to the Federal Trade Commission Act’s ban on unfair practices and to various data security and privacy laws.) Plaintiffs claim Navvis did not implement industry-standard safeguards (e.g. encryption, multi-factor authentication, timely software updates, network monitoring) that could have prevented the ransomware intrusion ($6.5M Navvis, SSM Health data breach class action settlement) (doe-et-al-v-ssm-health-care-corporation-et-al-consolidated-complaint). They further allege that Navvis failed to timely detect or contain the breach and then unreasonably delayed notifying affected individuals, aggravating the harm (doe-et-al-v-ssm-health-care-corporation-et-al-consolidated-complaint) (doe-et-al-v-ssm-health-care-corporation-et-al-consolidated-complaint).

• Breach of Contract / Implied Contract and Bailment:  Because Navvis held patient data (often under contract with health plans and providers), plaintiffs assert breach of contract and “implied contract” claims. They argue Navvis had an obligation (explicit or implicit) to use the entrusted data only for legitimate purposes and to protect it from theft. These claims are common in health-data breaches. Under bailment theories, plaintiffs say Navvis was entrusted with their private information and was obligated to return or safeguard it.

• Violation of Statutes (Consumer Protection, Data Security):  Plaintiffs assert violations of state consumer protection and data security laws. For example, Missouri’s and other states’ data breach notification statutes require prompt notice to victims; plaintiffs argue Navvis’s delay violated those laws. They also cite unfair and deceptive trade practices acts (e.g., Florida’s FDUTPA, Missouri’s MMPA) to allege the companies misrepresented the security of their systems. The settlement agreement’s release language explicitly lists “violations of any state data privacy, data security or state consumer protection statutes” as covered claims (doe-et-al-v-ssm-health-care-corporation-et-al-settlement-agreement). (HIPAA itself does not give individuals a private cause of action, but the breach involves PHI, so HIPAA/HITECH regulations likely inform certain duties or guidelines even if not directly sued upon.)

• Unjust Enrichment:  As an alternative to contract claims, the complaint includes unjust enrichment. This theory argues that Navvis benefitted from using plaintiffs’ data (for analytics or business) without adequately protecting or compensating them when it was stolen (doe-et-al-v-ssm-health-care-corporation-et-al-consolidated-complaint).

• Invasion of Privacy and Fraud-Related Harms:  Plaintiffs claim the breach caused a loss of privacy and led to concrete injuries (identity theft, financial fraud, out-of-pocket expenses, emotional distress, etc.). The consolidated complaint enumerates harms like posting of data on the dark web, unauthorized credit or benefits inquiries, stress and annoyance, diminished value of personal data, and costs of credit monitoring or identity restoration (doe-et-al-v-ssm-health-care-corporation-et-al-consolidated-complaint).

  
  

In sum, the lawsuit paints a picture of a foreseeable, preventable attack for which Navvis (and its customer SSM Health) were allegedly unprepared.

The plaintiffs seek to hold them accountable through class relief – reimbursement of actual losses, statutory damages, credit monitoring and related remedies, and enhancements to security practices.

Settlement Details

Under the settlement agreement (still subject to court approval in July 2025), Navvis and SSM Health will pay $6.5 million into a fund to resolve all class claims (SSM Health, Navvis reach $6.5M data breach settlement - Becker's Hospital Review | Healthcare News & Analysis) ($6.5M Navvis, SSM Health data breach class action settlement).

Crucially, neither company admitted liability or wrongdoing as part of the deal ($6.5M Navvis, SSM Health data breach class action settlement). The settlement covers “all claims” related to the breach, including negligence, consumer protection, contract, and privacy claims (see above) (doe-et-al-v-ssm-health-care-corporation-et-al-settlement-agreement).

Class members are eligible for a range of benefits. Per the settlement notice, individuals whose data was compromised between July 12–25, 2023 can submit a claim by July 7, 2025 ($6.5M Navvis, SSM Health data breach class action settlement) (John Doe et al. v. SSM Health Care Corporation d/b/a SSM Health et al. – Circuit Court of the City of St. Louis, State of Missouri | Case No. 2422-CC00208-01). Key terms include ($6.5M Navvis, SSM Health data breach class action settlement) ($6.5M Navvis, SSM Health data breach class action settlement):

• Cash Reimbursements: Up to $2,000 for documented “ordinary” losses (e.g. bank fees, credit-monitoring or identity-theft detection expenses, phone or postage costs), and up to $5,000 for documented “extraordinary” losses (e.g. proven identity theft or fraud suffered as a result of the breach). These reimbursements apply to losses incurred between mid-July 2023 and the notification cutoff (June 6, 2024) ($6.5M Navvis, SSM Health data breach class action settlement).

• Pro Rata Payments: In addition to specific reimbursements, all valid claimants will share in a pro-rata distribution of the remaining settlement fund. The exact per-person payout will depend on the number of claims submitted ($6.5M Navvis, SSM Health data breach class action settlement).

• Credit Monitoring: All class members are offered two years of free credit monitoring (three-bureau) through the settlement ($6.5M Navvis, SSM Health data breach class action settlement). This helps cover ongoing risk from the exposed data.

  
  

Final hearing and claim deadlines are set: class members must file by July 7, 2025, with opt-outs/objections by June 6, 2025, and a fairness hearing scheduled for July 10, 2025 ($6.5M Navvis, SSM Health data breach class action settlement) ($6.5M Navvis, SSM Health data breach class action settlement).

Those deadlines mirror the official settlement site information (John Doe et al. v. SSM Health Care Corporation d/b/a SSM Health et al. – Circuit Court of the City of St. Louis, State of Missouri | Case No. 2422-CC00208-01) ($6.5M Navvis, SSM Health data breach class action settlement).

As with most breach settlements, plaintiffs’ counsel will seek attorney’s fees (included in the $6.5M) and a service award for the class representatives.

Technical Shortcomings and Cybersecurity Failures

The Navvis/SSM breach and subsequent litigation highlight several technical and organizational failures that cybersecurity leaders must note:

• Inadequate Perimeter and Network Security:  Attackers “gained access to Navvis’ network” and deployed ransomware (John Doe et al. v. SSM Health Care Corporation d/b/a SSM Health et al. – Circuit Court of the City of St. Louis, State of Missouri | Case No. 2422-CC00208-01) (SSM Health $6.5M Data Breach Class Action Settlement). This suggests weaknesses in access controls, network segmentation, or patching. CISOs should ensure remote-access points are locked down (MFA on VPNs, no exposed RDP), administrative privileges are strictly limited, and regular vulnerability scanning is conducted.

• Poor Threat Detection:  The fact that the breach went undetected (or unremediated) for weeks implies insufficient intrusion detection/response. Companies must deploy robust monitoring – including endpoint detection & response (EDR) tools, SIEM analytics, and anomaly detection – to spot lateral movement or ransomware encryption early. Rapid response can greatly limit damage.

• Data Encryption and Tokenization:  Although not explicitly stated, best practice would be to encrypt sensitive data at rest and in transit. CISOs should verify that PHI and PII are encrypted in databases and backups, so that if attackers steal files they cannot immediately misuse the data. Even if perimeter defenses fail, encryption blunts the value of stolen data.

• Backups and Ransomware Resilience:  A core way to defeat ransomware is to have secure, offline backups. Navvis should have maintained immutable backups (ideally segmented from the main network) so that an attack wouldn’t cripple operations or extort victims. CISOs should regularly test backup restorations in a breach drill.

• Timely Breach Notification:  The nearly seven-month delay in notifying victims drew legal scrutiny. Under most state laws (and HIPAA’s breach notification rule), covered entities must alert individuals “without unreasonable delay” and typically within 60–90 days of discovery. Even though Navvis provides services rather than direct care, the spirit of these laws is clear: companies must have an incident response plan that includes fast notification. Delays can multiply class action damages and regulatory penalties.

• Supply-Chain and Vendor Security:  Navvis was acting as a business associate to SSM Health. This case underscores the need for strong vendor risk management. Health systems must vet partners’ cybersecurity (require audits, certifications, contractual security controls) because their own patients’ data is on the line. Likewise, Navvis needed robust security commensurate with the sensitivity of its clients’ data. Outsourcing critical functions does not transfer liability; both vendor and customer can be sued when data is lost.

• Software Maintenance and Patching:  Many ransomware attacks exploit known vulnerabilities. CISOs should enforce rigorous patch management for all systems (especially internet-facing servers and employee endpoints). Regular penetration testing and red-team exercises can uncover weak spots before attackers do.

• Policy and Training:  Phishing is a leading cause of breaches. While we have no public detail on the Navvis breach vector, ensuring staff are trained to recognize phishing and having technical controls (email filtering, URL scanning) is critical. CISOs should continuously evaluate and update security awareness programs, and simulate attacks to test the human firewall.

  
  

Lessons and Best Practices

For cybersecurity executives, the Navvis/SSM settlement serves as a cautionary tale. Beyond the obvious need for robust technical defenses, several broader lessons emerge:

• Holistic Risk Management:  Treat patient data as highly valuable and high-risk. Conduct regular risk assessments (e.g. NIST or HIPAA risk assessments) to identify and remediate potential vulnerabilities before they are exploited. The defendants here were alleged to have “failed to implement and maintain reasonable safeguards” (doe-et-al-v-ssm-health-care-corporation-et-al-consolidated-complaint), a phrase that echoes standard cybersecurity obligations.

• Contracts and Accountability:  Ensure third-party agreements specify security requirements. Both covered entities and vendors should hold each other accountable – in this case, SSM Health and Navvis “work together” on data, so both shared responsibility ($6.5M Navvis, SSM Health data breach class action settlement). Contracts should include breach response timelines, audit rights, and liability clauses.

• Incident Response Readiness:  Maintain an up-to-date incident response plan and team. Quick detection, containment, and communication can greatly reduce legal exposure. This incident shows the risk of delaying notifications – plan so that once a breach is confirmed, notifications go out (with any necessary law firm review) within regulatory timeframes.

• Cyber Insurance and Legal Preparedness:  Review cyber-insurance coverage (and requirements). Many insurers now mandate specific security controls (MFA, backups, vulnerability management) to qualify for coverage. Having insurance can aid breach recovery, but only if preconditions are met. Also, in a breach, have legal counsel experienced in data security to navigate FTC/HIPAA obligations and class-action defense.

• Transparency and Communication:  Although Navvis and SSM denied wrongdoing, transparent communication with regulators and affected individuals is critical. Assume that news of a breach will become public; proactive, honest communication can mitigate reputational damage and possibly reduce the aggressiveness of lawsuits. Here, plaintiffs cited Navvis’s statements and timing as evidence of fault (doe-et-al-v-ssm-health-care-corporation-et-al-consolidated-complaint).

• Adopt Security Frameworks:  Align your program with best-practice frameworks (NIST CSF, ISO 27001, HITRUST, etc.). Regularly benchmark your controls against peers. A failure to prevent this breach was deemed “egregious and foreseeable” in the complaint (doe-et-al-v-ssm-health-care-corporation-et-al-consolidated-complaint); robust frameworks help transform “could happen” into “won’t happen again”.

  
  

By examining cases like Navvis/SSM, CISOs can better appreciate that cybersecurity is not only an IT issue but a business and legal imperative.

The combination of ransomware risk, sensitive data at stake, and potential for multi-million-dollar litigation should compel every health-IT executive to reassess their security posture.

Adequate investment in prevention, rapid incident response, and clear policies can help avoid the kinds of claims (negligence, privacy violations, etc.) that drove this settlement.

References

• Becker’s Hospital Review, “SSM Health, Navvis reach $6.5M data breach settlement” (Apr. 2025) (SSM Health, Navvis reach $6.5M data breach settlement - Becker's Hospital Review | Healthcare News & Analysis) (SSM Health, Navvis reach $6.5M data breach settlement - Becker's Hospital Review | Healthcare News & Analysis).

• Top Class Actions, “$6.5M Navvis, SSM Health data breach class action settlement” (Apr. 2025) ($6.5M Navvis, SSM Health data breach class action settlement) ($6.5M Navvis, SSM Health data breach class action settlement).

• Settlement website, “John Doe et al. v. SSM Health Care Corporation” (Official Navvis Data Breach Claim Site) (John Doe et al. v. SSM Health Care Corporation d/b/a SSM Health et al. – Circuit Court of the City of St. Louis, State of Missouri | Case No. 2422-CC00208-01) (John Doe et al. v. SSM Health Care Corporation d/b/a SSM Health et al. – Circuit Court of the City of St. Louis, State of Missouri | Case No. 2422-CC00208-01).

• ClaimDepot, “SSM Health $6.5M Data Breach Class Action Settlement” (Apr. 2025) (SSM Health $6.5M Data Breach Class Action Settlement) (SSM Health $6.5M Data Breach Class Action Settlement).

• Consolidated Complaint (Rekoske v. Navvis et al., E.D. Mo.), ¶¶12–20, 260–265 (filed Mar. 11, 2024) (doe-et-al-v-ssm-health-care-corporation-et-al-consolidated-complaint) (doe-et-al-v-ssm-health-care-corporation-et-al-consolidated-complaint).

• Navvis & SSM Settlement Agreement (Mo. Cir. Ct. St. Louis City) (doe-et-al-v-ssm-health-care-corporation-et-al-settlement-agreement).