ST. LOUIS — Multiple people have messaged the 5 On Your Side VERIFY team asking whether a worrying letter they got in the mail was authentic.
The letter, sent from a St. Louis-based healthcare management company called Navvis, alleged that adult and minor patients of SSM Health may have potentially had their data breached between July 12 and July 25. Personal information potentially breached included health insurance policy numbers, account numbers and medical treatment/procedure information.
Viewers asked the VERIFY team "Is this letter real?" We dug into the facts to find out:
The question
Is the letter about a Navvis and SSM Health data breach real?
Our sources
The answer
Yes, Navvis and SSM Health have both confirmed that the letter is real and that numerous patient data were breached.
What we found
The partnership between Navvis and SSM Health was announced in 2019 in an attempt to update the hospital system's healthcare experience.
"The partnership brings together one of the nation’s largest Catholic health care systems with an innovative leader in population health to improve the health of millions of Americans," an SSM Health press release said.
Navvis told 5 On Your Side that the letters were authentic, and they had been sent out to patients who were identified to potentially be at risk. The company also confirmed the breach happened during a cyberattack against it.
Navvis said it was unable to provide an estimated number of patients affected.
"Through its investigation, Navvis determined that, between July 12, 2023 – July 25, 2023, it was a victim of a cyber-attack, and a threat actor had access to certain systems that stored personal and protected health information," the company said. "Although Navvis has no evidence of any identity theft or fraud in connection with this incident, Navvis is notifying those individuals whose information was impacted."
The types of information potentially affected include:
- An individual’s name
- Date of birth
- Medicaid/Medicare ID number
- Health plan information
- Medical treatment information
- Medical record number
- Patient account number
- Case identification number
- Provider and doctor information
- Health record information
- In some circumstances, Social Security number
However, in the letters of SSM Health patients that were sent to 5 On Your Side, they specified that those patients' Social Security numbers were not included in the unauthorized access. Navvis did not specify what determined whether an individual's Social Security number was breached.
SSM Health also confirmed the data breach on its website, but deferred communication on the incident to Navvis.
In response to the cyberattack, Navvis is providing affected patients at least 12 months of free credit monitoring and identity protection services through Equifax, Experian or TransUnion.
"Individuals who have questions about this incident can contact our dedicated call center at 1-888- 996-4022 between 8 a.m. and 9 p.m. Central, Monday through Friday, except holidays," Navvis said.
VERIFY
Have a question you want us to VERIFY? Email hbassler@ksdk.com or verify@ksdk.com with your claim.
Craving more VERIFY? See every St. Louis-area claim we've looked into here.