The April 22, 2023, cyberattack on Murfreesboro Medical Clinic & SurgiCenter in Tennessee led to a subsequent class action. A settlement has recently been agreed upon.
The clinic notified affected individuals in May 2023, after confirming the scope of the intrusion. In response, six class-action lawsuits were filed, alleging negligence and failure to meet statutory and common-law duties to protect protected health information.
These cases were consolidated on September 7, 2023, into a single action titled Krenk et al. v. Murfreesboro Medical Clinic and SurgiCenter in the 16th Judicial Circuit Court of Rutherford County, Tennessee. Although Murfreesboro Medical Clinic & SurgiCenter denied liability and wrongdoing, the parties agreed to pursue a settlement following extensive information exchanges and mediation.
In April 2023, Murfreesboro Medical Clinic & SurgiCenter (MMC), a large Tennessee-based healthcare provider, became the target of a sophisticated criminal cyberattack that first manifested on April 22, 2023 when its IT systems began experiencing unusual activity. MMC immediately initiated an emergency shutdown of its network to contain the incident and engaged law enforcement and third-party cybersecurity experts to investigate.
Through that investigation, MMC determined that a well-known cyber extortion operation had infiltrated its systems with intent to steal information for ransom, forcing the clinic to halt operations temporarily while restoring its network and bolstering security measures. The organization began notifying patients and employees in May 2023 that their personal and protected health information had been compromised.
According to the class action document, “Class Counsel will apply to the Court for an award of attorneys’ fees and expenses not to exceed three hundred fifty thousand dollars ($350,000). Any amount the Court awards in attorneys’ fees and expenses shall not exceed $350,000 and shall be paid by MMC separately from any payment to Settlement Class Members.
Class Counsel will also ask the Court to approve a service award of $3,000 each for the named Plaintiffs who filed these consolidated lawsuits on behalf of the Settlement Class, as an award for their service to the Settlement Class in obtaining this Settlement.”
In 2025, the healthcare sector continued to see data breaches similar to the Murfreesboro Medical Clinic incident, including Episource, LLC, where a ransomware attack exposed patient data of over 5.4 million individuals in early February, and DaVita, a kidney care provider that suffered a ransomware breach affecting nearly 2.7 million people in March–April 2025.
Yale New Haven Health System reported a breach of 5.5 million records in April 2025 involving unauthorized access to demographic and protected health information, and Anne Arundel Dermatology disclosed a breach affecting about 1.9 million patients after hackers accessed systems between February and May 2025. Like the larger incidents, Murfreesboro’s breach led to allegations of inadequate security practices and class action litigation.
When many patients are affected, lawsuits are frequently consolidated into class actions to address claims of negligence, inadequate safeguards, or failure to meet legal duties.
Yes. Regulators and courts often consider findings from independent auditors, forensic investigators, and compliance consultants when evaluating an organization’s response.
Third-party experts consistently recommend regular risk assessments, staff training, incident response planning, vendor oversight, and encryption of data.