Trade Law Daily is a Warren News publication.
'Preventable' Cyberattack

Mo. Plaintiff Sues Healthcare Platform Provider Over July Data Breach

Healthcare platform provider Navvis & Co. failed to protect Richard Lilly’s personally identifiable information (PII) and personal health information (PHI) in a “preventable” cyberattack, alleged Lilly's class action Thursday (docket 4:24-cv-00063) in U.S. District Court for Eastern Missouri in St. Louis.

Sign up for a free preview to unlock the rest of this article

Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.

The July 12 data breach, discovered by Navvis July 25, affected at least 917 other individuals, said the complaint, citing a Department of Health and Human Services breach report. Navvis didn’t begin informing those affected until December and “failed to inform victims when or for how long” the breach occurred, it said. Navvis received the PHI and PII from Lilly in connection with services the defendant requested, it said.

Lilly, a Missouri resident, received a letter from Navvis dated Dec. 29, informing him his PHI and PII were involved in the data breach, the complaint said. He was not aware of the breach before he received the letter, it said. Since then, he has suffered “lost time, annoyance, interference and inconvenience” as a result and has “anxiety and increased concerns for the loss of privacy, as well as anxiety over the impact of cybercriminals accessing, using and selling” his PHI and PII, the complaint said.

Lilly has suffered “imminent and impending injury” arising from the increased risk of fraud, identity theft and misuse resulting from his PHI and PII, in combination with his name, “being placed in the hands of unauthorized third parties/criminals,” it said. Upon information and belief, Lilly’s data remains backed up in Navvis’ possession, it said. Lilly and class members remain “in the dark regarding what particular data was stolen, the particular malware used and what steps are being taken, if any, to secure their PHI/PII going forward,” it said.

The Health Insurance Portability and Accountability Act sets national minimum standards for the protection of individuals’ medical records and other protected health information, and it requires “appropriate safeguards” to be maintained by companies like Navvis, said the complaint.

Lilly asserts claims of negligence, breach of implied contract and breach of the implied covenant of good faith and fair dealing, said the complaint. He seeks actual, nominal and consequential damages, plus attorneys’ fees and legal costs. He also requests orders enjoining Navvis from engaging in the wrongful conduct alleged and requiring it to implement and maintain a comprehensive information security program.