Murfreesboro Medical Clinic & SurgiCenter based in Tennessee decided to resolve a class action litigation associated with a major data breach that happened in April 2023. The data breach was because of unauthorized access to the protected health information (PHI) of 559,000 patients.
On or around April 22, 2023, Murfreesboro Medical Clinic found that a cyber extortion operation acquired access to its network and stole patient and employee information. The following data had been breached in the incident: names, home addresses, birth dates, phone numbers, full or partial Social Security Numbers, driver’s license numbers, dependent details, dates of service, medical and diagnostic data relevant to those dates of service, medical record numbers, lab test results, procedure records, prescription details, and health insurance and enrolment information. The affected people were informed regarding the attack in May 2023. The BianLian ransomware group confessed to have been behind the attack.
Murfreesboro Medical Clinic & SurgiCenter is facing six class action lawsuits because of the data breach. The lawsuits were consolidated on September 7, 2023, into a single lawsuit because of the same claims. The Krenk et al. v. Murfreesboro Medical Clinic and SurgiCenter and Murfreesboro Medical Clinic litigation was filed in the 16th Judicial Circuit Court of Rutherford County, Tennessee. The combined lawsuit stated that the cyberattack happened as a result of the defendants’ negligence and failure to abide with their statutory and common law duties. The defendant denies all contentions of liability and wrongdoing.
Considering the probable costs, delay, and risks that come with ongoing lawsuit, all parties agreed to have a settlement. The court already gave preliminary approval of the settlement agreed upon by the parties. The settlement will pay for the attorneys’ fees and expenses (approximately $350,000), compensation of lost time and losses for the class members, class representatives’ service awards ($3,000 per class representative, totaling $24,000), and credit monitoring and identity theft protection services.
Class members may file a claim for about $500 as refund for unreimbursed, documented out-of-pocket expenditures stemming from the data breach, such as about two hours of lost time worth $25 per hour. The claims for lost time have an aggregate cap of $200,000 and will be paid pro rata when that total is exceeded. Class members could furthermore avail credit monitoring and identity theft protection services for two years, including a $1,000,000 identity theft insurance coverage.
Murfreesboro Medical Clinic & SurgiCenter likewise decided to enhance its business procedures and enhance security, the price of which will be not be covered from the settlement arrangement. They include retaining data security program for a minimum of three years, offering HIPAA training to the employees on data security and managing suspicious emails, employing proper firewall and data segregation methods, ensuring protocols are applied for erasing records, and keeping a policy for dealing with data security incidents.
The schedule of the final fairness hearing is January 16, 2026. Claims should be submitted until April 14, 2026.