Chattanooga Heart Institute to pay $3.75M after ransomware attack

The Tennessee-based heart healthcare specialist is in the process of resolving a lawsuit that followed a 2023 data breach.

What happened

Chattanooga Heart Institute (CHI), also known as Memorial Heart Institute, has received preliminary approval to move forward with a $3.75 million settlement. According to the settlement agreement, Cahil et al., v Memorial heart Institute, approximately 545,491 individuals had their private information or protected health information (PHI) exposed in the incident. Out of those victims, approximately 287,000 individuals also had their Social Security numbers exposed. The lawsuit alleges that CHI negligently maintained patient data and failed to implement the appropriate safeguards to prevent a data breach from occurring.

The settlement has now been finalized, with no admission of wrongdoing or liability from CHI. Out of the large settlement fund, funds will go towards general victims as well as a higher allocation for those whose Social Security numbers were accessed or stolen.

A final approval hearing, which is expected to pass, is scheduled for May 28th, 2026.

The backstory

The lawsuit is the result of a large data breach Paubox covered in 2023. According to court documents, the breach took place between March 8th, 2023, and March 16th, 2023. Accessed information included names, mailing addresses, email addresses, phone numbers, dates of birth, drivers’ license numbers, Social Security numbers, account information, health insurance information, additional health information, financial information, and for some, Social Security numbers.

In the know

The lawsuit was claimed by the ransomware group Karakurt, which first emerged in late 2021. The Health Sector Cybersecurity Coordination Center (HSCCC) noted the group will generally steal data and threaten to auction it or release it if there is no payment. Karakurt generally demands between $25,000 and $13 million. The HSCCC also believes it had ties to the Conti ransomware group, a group based out of Russia and known to sell specific ransomware tools and software. Karakurt has been known to target other organizations in the healthcare industry.

The big picture

It’s common for lawsuits like these to settle, but the massive settlements can still create a financial burden on healthcare organizations. According to a 2025 Paubox report, data breaches almost always result in future litigation. Furthermore, the settlement amounts are likely to dwarf the expected budget for healthcare companies. The financial strain can make it difficult for these organizations to recover, which is an already challenging process as companies work to improve their cybersecurity policies and rebuild trust with patients.

FAQs

Why did this lawsuit take so long to resolve?

Lawsuits can be time-consuming for a variety of reasons, from the discovery process running long to simple court delays. CHI also initially attempted to have the lawsuit dismissed, which may have taken the parties additional time to work through.

Will CHI face any other costs aside from the settlement?

CHI may still have to pay some legal fees associated with the settlement. CHI will also likely have to improve their current cybersecurity policies and procedures. To do so, they may have to take time to train employees, implement new tools, and more. All of these things create additional costs that can make it difficult for an organization to recover.