A $3.75 million settlement has been agreed to resolve a data breach lawsuit involving Memorial Heart Institute, doing business as Chattanooga Heart Institute in Tennessee, following a 2023 cyberattack that exposed protected health information (PHI).
Incident Details
The cyberattack was identified on April 17, 2023. An investigation determined that a threat actor accessed the Chattanooga Heart Institute network between March 8 and March 16, 2023 and exfiltrated files containing patient information. The compromised data included names, addresses, email addresses, phone numbers, birth dates, driver’s license numbers, Social Security numbers, account details, medical insurance information, diagnosis or condition details, laboratory results, medications, and other clinical, demographic, or financial information.
The Karakurt ransomware group claimed to have conducted the attack. Chattanooga Heart Institute reported the data breach to the U.S. Department of Health and Human Services Office for Civil Rights as affecting 545,491 individuals.
Litigation and Claims
Chattanooga Heart Institute faced several class action lawsuits, which were later consolidated into Cahill, et al., v. Memorial Heart Institute, LLC, d/b/a The Chattanooga Heart Institute in the U.S. District Court for the Eastern District of Tennessee, Southern Division of Chattanooga. The lawsuit stated that approximately 460,000 individuals had their private information exposed or stolen, including 287,000 individuals whose Social Security numbers were exposed.
The plaintiffs alleged that Chattanooga Heart Institute failed to maintain appropriate safeguards to protect patient data and asserted claims that included breach of implied contract, negligence, negligence per se, unjust enrichment, bailment, invasion of privacy, breach of fiduciary duty, and requests for declaratory and injunctive relief. Chattanooga Heart Institute denied these allegations.
The defendant sought dismissal of the lawsuit. The request was denied in part, and the case proceeded. During the discovery phase, both parties explored early resolution and reached agreement on settlement terms following mediation.
Settlement Terms
The settlement establishes a $3,750,000 fund without any admission of wrongdoing or liability by Chattanooga Heart Institute. The total settlement amount is divided into two funds. A non-reversionary $2,000,000 fund is allocated for the Social Security number subclass. Up to $1,750,000 is allocated for the total class.
Class members are eligible to receive two years of credit monitoring services valued at approximately $120 per year. Individuals may also submit claims for reimbursement of documented and unreimbursed losses related to the data breach, with a maximum of $5,500 per class member.
Members of the Social Security number settlement class may claim a cash payment. Payments will be distributed on a pro rata basis after deduction of settlement administration costs, attorneys’ fees and expenses, and service awards for class representatives. Attorneys’ fees and costs are allocated between the funds, with 53 percent assigned to the Social Security number class and 47 percent assigned to the total class fund.
Court Status and Deadlines
The settlement has received preliminary approval from a judge. A final fairness hearing is scheduled for May 28, 2026. The deadline for submitting a claim is July 13, 2026. Requests for exclusion or objections to the settlement must be submitted by June 12, 2026.