Active breach tracker Livonia, MI HQ Disclosed March 13, 2026 Part of Health Gorilla HIE cluster

Trinity Health Data Breach 2026 (Health Gorilla HIE Scandal): 2,740 Patients Exposed Through Abused TEFCA Pipeline. What To Do

Trinity Health Corporation, the Livonia, Michigan-based Catholic non-profit health system with 90+ hospitals across 26 states, disclosed in March 2026 that its records were extracted through an abused Health Information Exchange (HIE) pipeline operated by Health Gorilla. Records allegedly funneled to third-party health-tech firms for mass-tort marketing rather than treatment. 2,740 Trinity patients exposed. Trinity is suing Health Gorilla; patients are suing Trinity. Cyberscout monitoring offered. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 13, 2026

Trinity notified by HIE partner of suspicious data-access requests; Epic + health systems file Epic Systems Corp. v. Health Gorilla, Inc. (2:26-cv-00321, W.D. Wisconsin) same day

Jan 13, 2026

Attacker gained access

Mar 13, 2026

Patient notification letters mailed; HHS OCR filing; Vermont AG notice posted

Mar 20, 2026

Jackson v. Trinity Health Corporation et al. class action filed in E.D. Michigan

Data exposed

01

High-risk identity

Enables financial + identity theft

Age / date of birth Driver's license number (potentially)

02

Health records

Don't expire and can't be reissued

Clinical care details Diagnoses Medical record numbers, member numbers, patient ID numbers

03

Contact & insurance

Phishing + targeted scams

Full name Demographics Medical history elements Insurance information Email address (per class action complaint) Procedure names, provider names and specialties Transaction information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Jackson v. Trinity Health Corporation et al., 2:26-cv-10948 (E.D. Mich., filed Mar 20, 2026)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

This is not a classic data breach. It is Trinity Health’s slice of the Epic / Health Gorilla Health Information Exchange (HIE) scandal — the dominant healthcare data story of Q1 2026.

Trinity Health Corporation is a major Catholic non-profit health system headquartered in Livonia, Michigan, operating 90+ hospitals across 26 states. Its ministries include Saint Joseph Mercy Health System, Mercy Health, and IHA.

On January 13, 2026, Trinity Health was notified by its HIE partner that Health Gorilla — a TEFCA / Carequality on-ramp connecting healthcare data networks — had been issuing data-access requests under the pretext of “treatment purposes” that the HIE partner could not verify as legitimate. Records were allegedly funneled to third-party health-tech firms (Mammoth, RavillaMed, LlamaLab, Unit 387, SelfRx, GuardDog) who used them for mass-tort claimant marketing rather than patient care.

The same day Trinity was notified, Epic Systems, Trinity Health, Michigan Medicine, and other health systems filed Epic Systems Corp. v. Health Gorilla, Inc. (2:26-cv-00321, W.D. Wisconsin), suing Health Gorilla for the underlying scheme.

Trinity Health mailed patient notification letters on March 13, 2026 and filed with HHS OCR — confirming 2,740 affected Trinity patients. Trinity’s slice is part of an alleged ~300,000 records improperly extracted across the Epic community via “sham NPIs” and shell clinical websites.

On March 20, 2026, Jackson v. Trinity Health Corporation et al. (2:26-cv-10948) was filed in the Eastern District of Michigan, suing Trinity AND Health Gorilla for failure to safeguard data flowing through the HIE.

Why HHS OCR classifies this as “Unauthorized Access/Disclosure at EMR”

The OCR taxonomy label fits but undersells the systemic story: data left Trinity’s Epic instance via an authorized HIE channel that was subsequently abused. It was not hacked. The federated-exchange pipe worked exactly as designed, with the wrong identity claim at the other end.

This is the rare HIPAA breach where the covered entity is also a plaintiff. The systemic implication: TEFCA and Carequality identity-verification governance has a gap that downstream actors can exploit at scale.

What was stolen

Per Trinity’s notice:

  • Full name, age / date of birth, demographics
  • Clinical care details, diagnoses, medical history elements
  • Insurance information
  • Driver’s license number (potentially)

Per the class action complaint (Jackson v. Trinity Health):

  • Email addresses
  • Location of service, dates of service
  • Medical record numbers, member numbers, patient ID numbers
  • Procedure names, provider names and specialties
  • Transaction information

What Trinity Health is offering

  • Credit monitoring and identity protection through Cyberscout (a TransUnion company)
  • Duration: 12 months (per Vermont AG notice and Becker’s). HIPAA Journal reports 24 months — read your specific letter for the authoritative figure.
  • Dedicated hotline: 1-833-877-5364 (Monday to Friday, 7 a.m. to 7 p.m. Central)
  • Trinity states its HIE partner has suspended the named third-party connections

What to do

  1. Enroll in Cyberscout monitoring through the activation code in your letter.
  2. Place free credit freezes at Equifax, Experian, TransUnion.
  3. If you have ever received care at a Trinity Health ministry (Saint Joseph Mercy, Mercy Health, IHA, or any of the 90+ hospitals across 26 states), watch for a notification letter — your inclusion depends on whether your records were among those extracted.
  4. Be alert to mass-tort marketing solicitations — if you receive unsolicited contact from law firms or medical companies referencing your specific Trinity treatment history, that is potentially evidence of misuse.
  5. Consider joining the Jackson v. Trinity Health class action if you receive a notification letter. The case is pending in the E.D. Michigan.
  6. Stop the ongoing flow of your records through health information exchanges. HealthConsent files HIPAA restriction requests including across TEFCA / Carequality / eHealth Exchange pathways — these federated networks are difficult to opt out of through standard provider workflows.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.