$3.75M Settlement Resolves Data Breach Lawsuit Against Chattanooga Heart Institute
Memorial Heart Institute, doing business as Chattanooga Heart Institute in Tennessee, was sued over a data breach in 2023. A $3.75 million settlement has been agreed upon and has received the first nod from a judge. The final fairness hearing has been scheduled for May 28, 2026.
The cyberattack was identified on April 17, 2023. The investigation determined that a threat actor had access to the Chattanooga Heart Institute network between March 8 and March 16, 2023, and exfiltrated files, some of which contained patients’ protected health information. The file review confirmed that data compromised in the incident included names, addresses, email addresses, phone numbers, dates of birth, driver’s license numbers, Social Security numbers, account information, health insurance information, diagnosis/condition information, lab results, medications, and other clinical, demographic, or financial information.
The Karakurt ransomware group claimed responsibility for the attack. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 545,491 individuals. Several class action lawsuits were filed in response to the data breach, which were consolidated into a single action – Cahill, et al., v. Memorial Heart Institute, LLC, d/b/a The Chattanooga Heart Institute – in the U.S. District Court for the Eastern District of Tennessee, Southern Division of Chattanooga.
According to the lawsuit, approximately 460,000 individuals had their private information exposed or stolen in the incident, including 287,000 individuals who had their Social Security numbers exposed. The plaintiffs alleged that Chattanooga Heart Institute negligently maintained patient data and had not implemented appropriate safeguards to prevent unauthorized access, claims strenuously denied by the Chattanooga Heart Institute. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, bailment, breach of fiduciary duty, invasion of privacy, and declaratory and injunctive relief.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Chattanooga Heart Institute sought to have the lawsuit dismissed; however, the request was denied in part, and the lawsuit was allowed to proceed. During discovery, the parties began exploring the possibility of an early resolution, and following mediation, agreed upon the material terms of a settlement. The settlement has now been finalized, with no admission of wrongdoing or liability by the Chattanooga Heart Institute. The defendant will establish a $3,750,000 settlement fund, which will be split into two separate funds – a non-revisionary $2,000,000 fund for the Social Security number subclass and up to $1,750,000 fund for the total class.
All class members may claim two years of credit monitoring services, valued at approximately $120 per year. In addition, a claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,500 per class member. A cash payment may also be claimed by members of the Social Security number settlement class. The cash payments will be paid pro rata after the settlement administration costs, a share of the attorneys’ fees and expenses, and service awards for the class representatives have been deducted. The attorneys’ fees and costs will be divided between the Social Security number class (53%) and the total class fund (47%). The deadline for submitting a claim is July 13, 2026. Individuals wishing to exclude themselves or object to the settlement must do so by June 12, 2026.
