Murfreesboro Medical Clinic Settles Data Breach Litigation Involving Over 559K Patients

January 4, 2026HIPAA News0

Murfreesboro Medical Clinic & SurgiCenter located in Tennessee made a decision to resolve a class action litigation regarding a big data breach hat occured in April 2023. The data breach was because of unauthorized access to the protected health information (PHI) of 559,000 individuals.

On or around April 22, 2023, Murfreesboro Medical Clinic confirmed that a cyber extortion operation got access to its system and extracted patient and worker information. These data elements had been compromised in the incident: names, addresses, dates of birth, telephone numbers, complete or incomplete Social Security Numbers, driver’s license numbers, dependent data, dates of service, medical and diagnostic data linked to those dates of service, medical record numbers, laboratory test results, procedure records, prescription details, and medical insurance and enrolment data. The impacted persons were advised concerning the attack in May 2023. The BianLian ransomware group admitted to have been responsible for the attack.

Murfreesboro Medical Clinic & SurgiCenter is facing six class action litigations because of the data breach. The lawsuits were consolidated on September 7, 2023, into one lawsuit because of similar claims. The Krenk et al. v. Murfreesboro Medical Clinic and SurgiCenter and Murfreesboro Medical Clinic litigation was filed in the 16th Judicial Circuit Court of Rutherford County, Tennessee. The combined lawsuit claimed that the cyberattack was due to the defendants’ negligence and inability to conform with their statutory and similar law duties.

Although Murfreesboro Medical Clinic and SurgiCenter rejects all allegations stated in the lawsuit, the parties’ discussion and mediation ended in a settlement, considering the possible delay, costs, and risks linked to continuing lawsuit. The court already gave preliminary approval of the settlement agreed upon by the parties. The settlement will pay for the attorneys’ fees and expenses (about $350,000), compensation of lost time and expenses for the class members, class representatives’ service awards ($3,000 each, totaling $24,000), and identitfy theft protection and credit monitoring services.

Class members can send a claim for approximately $500 as refund for unreimbursed, documented expenditures caused by the data breach, which include about two hours of lost time valued at $25 per hour. The claims for lost time have an combined limit of $200,000 and will be paid pro rata in case that total is surpassed. Class members can likewise get credit monitoring and identity theft protection services for two years, which include a $1,000,000 identity theft insurance plan.

Murfreesboro Medical Clinic & SurgiCenter additionally decided to improve its business routines and boost security, the fee of which will be not be paid for from the settlement deal. They include preserving data security program for no less than 3 years, giving HIPAA training to the staff on data security and dealing with suspicious email messages, using correct firewall and data segregation standards, ensuring standards are executed for removing information, and retaining a policy for addressing data security incidents.

The date of the final fairness hearing is January 16, 2026. Claims need to be filed on or before April 14, 2026.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2026 ComplianceHome. All rights reserved.