Lee University in Tennessee this week confirmed it notified 136,928 people of a March 2024 data breach that compromised the following personal info:
- Names
- Social Security numbers
- Government-issued ID numbers (e.g. driver’s license, passport)
- Financial info including credit and debit card numbers
- Medical info
Lee University first announced it suffered a “security incident” on March 22, 2024. Ransomware gang Medusa in April 2024 claimed responsibility for the breach, saying it stole nearly 388 GB of data from the school. Medusa demanded $1 million in ransom.
Now, more than a year after the attack, the school has disclosed the full scope of the breach. Lee University now faces a class-action lawsuit that argues the school failed to notify victims within Tennessee’s 45-day breach disclosure requirement, and that the school failed to implement the necessary cybersecurity measures.
Lee University has not verified Medusa’s claim. We do not know if Lee University paid a ransom or how attackers breached the schools’ network.
Lee University officials responded to Comparitech’s questions with the following statement: “Lee University takes data privacy and security seriously. However, we cannot comment on ongoing litigation.”
Who is Medusa?
Medusa is a ransomware gang that first surfaced in September 2019. It debuted its leak site in February 2023, where it publishes stolen data of victims who don’t pay ransoms. Medusa often uses a double-extortion approach in which victims are forced to pay both to decrypt their systems and for not selling or publishing stolen data.
In 2024, Medusa claimed responsibility for 66 confirmed ransomware attacks affecting 2.4 million records. Its average ransom demand is $590,000.
This attack on Lee University is Medusa’s second largest to date by number of records compromised, following the 1.8 million records impacted in the group’s attack on Summit Pathology.
In 2025 so far, Medusa claimed eight confirmed attacks including those on Laurens County School District 56 in South Carolina and Bell Ambulance in Wisconsin. The group claimed another 70 unconfirmed attacks in 2025 that haven’t been acknowledged by the targeted organizations.
Ransomware attacks on US education
In 2024, Comparitech researchers logged 75 confirmed ransomware attacks on US schools, colleges, and other educational institutions. That’s a decline from the 124 attacks recorded in 2023.
The three biggest ransomware attacks on US education in 2024 were:
- Texas Tech University Health Sciences Center notified 1.5 million people of a data breach claimed by Interlock
- Chicago Public Schools notified 700,000 people of a data breach claimed by Clop
- East Valley Institute of Technology notified 208,717 people of a data breach claimed by LockBit
In 2025 so far, we tracked 11 confirmed ransomware attacks on US schools, including recent attacks on the Penn-Harris-Madison School Corporation in Indiana and the Cherokee County School District in South Carolina. Earlier this week, Hartwick College began notifying (PDF) victims of an October 2024 data breach claimed by Chort.
Ransomware attacks are a growing threat to schools and colleges worldwide. They take down key systems, shut schools for days on end, and prevent teachers from accessing lesson plans and student data. Schools must either pay a ransom or face extended downtime, data loss, and putting students and staff at increased risk of fraud.
About Lee University
Lee University in Cleveland, TN is a private Christian school founded in 1918. It enrolls about 3,700 students and has 1,200 employees, according to external sources.
