Patients whose personal and medical data were exposed in a 2023 hacking incident at the Chattanooga Heart Institute, which operates under the Memorial Heart Institute name, face a fast-approaching deadline to file claims from a $3.75 million settlement. The filing window closes on July 13, and anyone who received a breach notice last year but has not yet submitted a claim risks forfeiting their share of the fund. The breach affected approximately 411,300 individuals, according to state attorney general records, and the settlement resolves a lawsuit tied directly to that incident.
Why the July 13 deadline carries real financial weight
Settlement funds in data-breach cases that go unclaimed often revert to the defendant organization rather than reaching the people whose information was compromised. That structure puts pressure on affected patients to act before the cutoff. Anyone who received a mailed notice with a unique claim number from the settlement administrator can use that number to file online or by mail.
Two separate rounds of consumer notifications went out after the breach. The first wave was sent on July 28, 2023, and a second followed on October 6, 2023, according to the Maine filing. That split timeline raises a practical question: patients who received the later October notice had a shorter window between learning about the breach and the claim deadline, which could depress their filing rates relative to those notified in July. Differences in follow-up outreach between the two waves, if any, would widen that gap further. No public data on claim-submission rates by notification cohort has been released.
For patients weighing whether to file, the settlement typically allows reimbursement for out-of-pocket expenses related to the breach, such as costs associated with credit monitoring, identity-theft services, or time spent resolving fraudulent activity. Exact categories and caps, however, are not detailed in the records reviewed for this article. That lack of clarity can make it harder for individuals to estimate what they might recover, but consumer advocates generally advise filing if there is any chance of qualifying for compensation.
Breach timeline and the $3.75 million settlement record
The hacking incident began on March 8, 2023, and went undetected until May 31, 2023, a gap of nearly three months. The Maine Attorney General’s record classifies it as an external system breach caused by hacking. The Chattanooga Heart Institute, listed as the reporting entity, disclosed that 411,300 individuals were affected, a figure consistent with the scale of a regional cardiology practice serving patients across multiple states. The breach involved sensitive personal and medical information, although the precise data fields compromised are not fully itemized in the publicly accessible summary.
The resulting lawsuit was resolved for $3.75 million, according to institutional reporting that traced the settlement to the same breach event. Individual payouts will depend on the number of valid claims filed by the deadline, the categories of loss each claimant documents, and the fee structure approved by the court. Fewer claims filed means larger individual payments from the fixed pool, but it also means more money potentially returning to the organization responsible for the breach.
Because the settlement stems from a healthcare data incident, the case also fits into a broader pattern of cyberattacks aimed at medical providers. Health records often contain Social Security numbers, insurance details and treatment histories, all of which can be misused for fraud or identity theft. The length of time the Chattanooga Heart Institute’s systems were compromised before detection underscores how long attackers can sometimes operate inside a network before being discovered.
What patients still do not know about the Memorial Heart Institute breach
Several gaps in the public record leave affected individuals without full clarity. No court docket or signed settlement agreement detailing the exact payout formula has surfaced in publicly accessible filings reviewed for this report. The relationship between the Chattanooga Heart Institute, which filed the breach notice, and Memorial Heart Institute, the name attached to the lawsuit and settlement, has not been spelled out in available state or court records. Neither entity nor class counsel has issued public statements on how many claims have been submitted so far.
It is also unclear whether any additional security commitments, such as third-party audits or system upgrades, were formally required as part of the settlement. Many modern data-breach agreements include non-monetary terms designed to reduce the risk of a repeat incident, but the absence of a publicly filed agreement here leaves patients guessing about what, if anything, has changed behind the scenes. Without that information, individuals must decide whether to continue care with the provider based largely on trust and the limited details contained in the original notices.
Patients who have questions about their eligibility or how to document potential losses typically must rely on the settlement administrator’s hotline or website, information that was included in the mailed notices. Those who misplaced their letters may still be able to confirm eligibility by contacting the administrator directly, but doing so becomes more difficult as the deadline approaches. Legal and consumer advocates sometimes point people to independent resources, including professional contacts familiar with complex settlements, when questions go beyond what call-center staff can answer.
For now, the most concrete fact is the calendar. The July 13 cutoff divides those who will share in the $3.75 million fund from those who will not. Anyone who received a breach notice tied to the Chattanooga Heart Institute incident but has not yet acted has only a limited time left to decide whether to file a claim, gather documentation and secure a place in the settlement before the window closes.