Murfreesboro Medical Clinic Settles Lawsuit Over 559K-record Data Breach
Murfreesboro Medical Clinic & SurgiCenter in Tennessee has agreed to settle class action litigation over a major data breach in April 2023 that involved unauthorized access to the protected health information of 559,000 patients.
Murfreesboro Medical Clinic determined that “a well-known cyber extortion operation” gained access to its network on or around April 22, 2023, and exfiltrated patient and employee data. Data compromised in the incident included names, dates of birth, home addresses, phone numbers, copies of driver’s licenses, full or partial social security numbers, dependent information, dates of service, medical and diagnostic information related to those dates of service, test results, procedure notes, prescription information, medical record numbers, and insurance and enrolment information. The affected individuals were notified about the attack in May 2023. The BianLian ransomware group claimed responsibility for the attack.
Six class action lawsuits were filed in response to the data breach, which were consolidated on September 7, 2023, into a single action – Krenk et al. v. Murfreesboro Medical Clinic and SurgiCenter and Murfreesboro Medical Clinic – in the 16th Judicial Circuit Court of Rutherford County, Tennessee, as the lawsuits had overlapping claims. The consolidated lawsuit alleged that the cyberattack occurred as a result of the defendants’ negligence and failure to comply with their statutory and common law duties. Murfreesboro Medical Clinic and SurgiCenter and Murfreesboro Medical Clinic deny all claims of liability and wrongdoing.
Following significant exchanges of information and mediation, all parties agreed that a settlement was the best outcome, given the likely costs, delay, and risks associated with continued litigation. The settlement has been agreed upon by all parties and has received preliminary approval from the court. The settlement covers attorneys’ fees and expenses (up to $350,000), service awards for the class representatives ($3,000 per class representative, totaling $24,000), reimbursement of lost time and losses for the class members, and credit monitoring and identity theft protection services.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Class members may submit a claim for up to $500 as reimbursement for unreimbursed, documented out-of-pocket expenses stemming from the data breach, including up to two hours of lost time at $25 per hour. The claims for lost time have an aggregate cap of $200,000 and will be paid pro rata if that total is exceeded. Class members may also claim two years of credit monitoring and identity theft protection services, which include a $1,000,000 identity theft insurance policy.
Murfreesboro Medical Clinic & SurgiCenter has also agreed to make changes to its business practices and augment security, the cost of which will be paid separately from the settlement agreement. They include maintaining a comprehensive information security program for at least three years, providing training to the workforce on data security and handling suspicious emails, implementing appropriate firewall and data segregation protocols, ensuring protocols are implemented for deleting records, and maintaining a policy for responding to data security incidents.
The final fairness hearing has been scheduled for January 16, 2026, and claims must be submitted by April 14, 2026.
