Table of Contents
What Happened in the Navvis Data Breach?
In late July 2023, Navvis & Company LLC, a healthcare technology company, discovered a data security incident that led to unauthorized access to patient information. Navvis provides revenue cycle management and other services to healthcare providers.
After detecting suspicious activity on their network from July 12-25, Navvis launched an investigation with the help of cybersecurity experts. They determined that an unauthorized third party had gained access to a database containing protected health information and personal details of patients.
The impacted data included names, dates of birth, Social Security numbers, medical record numbers, medical diagnoses and treatment information. In total, it’s estimated that over 2 million patients across several states had their data exposed in the Navvis breach.
On July 25th, Navvis completed its forensic investigation and began notifying the healthcare organizations it works with. Notices were then sent to patients in the following months if their information was confirmed to be involved in the incident.
Impacted Healthcare Providers and Patients
Some of the major healthcare providers whose patients were affected by the Navvis breach include:
- SSM Health – A large nonprofit Catholic healthcare system operating in Illinois, Wisconsin, Missouri and Oklahoma. Over 1 million SSM Health patients were potentially impacted.
Mercy Healthcare – A hospital network based in Missouri with locations in multiple Midwestern states. Patient data from several Mercy facilities was involved.
Oklahoma State University Medical Center – The main academic medical center for Oklahoma based in Tulsa. OSU Medical Center notified thousands of patients.
Billings Clinic – The largest healthcare provider in Montana serving over 300,000 residents annually from across the state and surrounding regions.
Patients receiving care from orthopedic, cardiac, imaging and other clinical departments at these organizations between 2013-2023 likely had their details exposed. Notices were sent via mail to notify patients and advise them on credit monitoring and identity protection services being offered.
Causes and Response from Navvis
An investigation into the root cause of the Navvis breach determined that cyber attackers were able to exploit vulnerabilities on their systems and networks to gain unauthorized access over a 13 day window in mid-July.
Specific techniques used by the threat actors have not been publicly disclosed, but common entry points for these types of healthcare data breaches involve exploiting unpatched software, weak or stolen credentials, and phishing employees with malware.
Once discovering the incident, Navvis took the following remedial actions:
- Hired outside cybersecurity experts to contain the intrusion and investigate full scope
- Notified impacted healthcare customers and supported notification of patients
- Offered complimentary credit monitoring and identity protection services
- Patched vulnerabilities and improved security access controls on their infrastructure
- Enhanced employee security awareness training on social engineering and phishing
- Published notices and call center information for concerned patients
Navvis claims they have no direct evidence that any stolen data has led to actual identity theft or fraud. However, the FTC warns that protected health information can be used for medical or insurance fraud years into the future.
Lessons Learned and Ongoing Risk
Data breaches involving healthcare providers have increased dramatically in recent years due to growing attack surfaces and value of stolen medical records on the black market. The Navvis incident exemplifies cyber risks that can impact both industry service vendors and end patients.
Some lessons and takeaways include:
- Third party vendors also must have strong security as they are access points for cybercriminals
- Protected health data requires multi-factor authentication and secure access controls
- Rapid incident response helps minimize exposure window and reduce harm
- Ongoing employee training combats social engineering still used in most attacks
- Complimentary credit monitoring may not fully prevent future identity misuse
- Data stored indefinitely remains at risk of being stolen years after original breach
While Navvis claims to have addressed the vulnerabilities used in this breach, the stolen data will still pose a small ongoing risk to affected individuals for many years. Patients are encouraged to regularly monitor credit reports and take advantage of free identity protection services when offered. Overall, the case emphasizes the important responsibility of all healthcare organizations to properly secure sensitive patient information.
Ongoing Investigations and Legal Compliance
State attorney general and privacy offices continue to actively oversee company compliance with breach notification laws stemming from the Navvis cyberattack. Offices like the Vermont Attorney General provide resources to consumers impacted in their state.
Class action lawsuits have also been filed against Navvis on behalf of patients alleging negligence led to improper exposure of protected health data and failure to prevent foreseeable risks. Cases allege the data breach caused damages including undue financial burdens and emotional distress.
Navvis maintains they responded appropriately and offered identity monitoring in accordance with all relevant regulations. Under HIPAA, companies like Navvis that experience data breaches are required to notify affected individuals without unreasonable delay. They must also conduct thorough risk assessments and take any necessary further action.
Regulators will scrutinize Navvis’ security practices and determine if any violations occurred opening them to potential fines or sanctions. Full transparency into the root causes and reporting of this major breach of patient trust will be important. It serves as another example case for how vulnerabilities in third party vendors similarly impact covered entities and their customers.
In summary, the July 2023 Navvis data breach stands as a cautionary tale of the widespread downstream risks posed by cyberattacks on healthcare technology companies. While Navvis claims to have addressed the specific access issues, the incident underscores the importance of security for all organizations handling sensitive patient information.
It also demonstrates why compliance with breach notification laws and offering credit protection services benefits customers after a breach. Time will tell if any legal or regulatory issues further arise from this case now under investigation. Most importantly, affected individuals are reminded to remain vigilant against potential identity misuse for years to come.
Proper securing of systems through measures like multi-factor authentication, regular software updates, employee training and access controls can help reduce these types of intrusions impacting millions. But with cybercriminals constantly improving their methods, no entity will be completely risk free requiring ongoing diligence across the entire healthcare sector.