Trinity Health Data Breach 2026 (Health Gorilla HIE Scandal): 2,740 Patients Exposed Through Abused TEFCA Pipeline. What To Do
Trinity Health Corporation, the Livonia, Michigan-based Catholic non-profit health system with 90+ hospitals across 26 states, disclosed in March 2026 that its records were extracted through an abused Health Information Exchange (HIE) pipeline operated by Health Gorilla. Records allegedly funneled to third-party health-tech firms for mass-tort marketing rather than treatment. 2,740 Trinity patients exposed. Trinity is suing Health Gorilla; patients are suing Trinity. Cyberscout monitoring offered. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jan 13, 2026
Trinity notified by HIE partner of suspicious data-access requests; Epic + health systems file Epic Systems Corp. v. Health Gorilla, Inc. (2:26-cv-00321, W.D. Wisconsin) same day
Jan 13, 2026
Attacker gained access
Mar 13, 2026
Patient notification letters mailed; HHS OCR filing; Vermont AG notice posted
Mar 20, 2026
Jackson v. Trinity Health Corporation et al. class action filed in E.D. Michigan
Jan 13, 2026
Trinity notified by HIE partner of suspicious data-access requests; Epic + health systems file Epic Systems Corp. v. Health Gorilla, Inc. (2:26-cv-00321, W.D. Wisconsin) same day
Jan 13, 2026
Attacker gained access
Mar 13, 2026
Patient notification letters mailed; HHS OCR filing; Vermont AG notice posted
Mar 20, 2026
Jackson v. Trinity Health Corporation et al. class action filed in E.D. Michigan
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
This is not a classic data breach. It is Trinity Health’s slice of the Epic / Health Gorilla Health Information Exchange (HIE) scandal — the dominant healthcare data story of Q1 2026.
Trinity Health Corporation is a major Catholic non-profit health system headquartered in Livonia, Michigan, operating 90+ hospitals across 26 states. Its ministries include Saint Joseph Mercy Health System, Mercy Health, and IHA.
On January 13, 2026, Trinity Health was notified by its HIE partner that Health Gorilla — a TEFCA / Carequality on-ramp connecting healthcare data networks — had been issuing data-access requests under the pretext of “treatment purposes” that the HIE partner could not verify as legitimate. Records were allegedly funneled to third-party health-tech firms (Mammoth, RavillaMed, LlamaLab, Unit 387, SelfRx, GuardDog) who used them for mass-tort claimant marketing rather than patient care.
The same day Trinity was notified, Epic Systems, Trinity Health, Michigan Medicine, and other health systems filed Epic Systems Corp. v. Health Gorilla, Inc. (2:26-cv-00321, W.D. Wisconsin), suing Health Gorilla for the underlying scheme.
Trinity Health mailed patient notification letters on March 13, 2026 and filed with HHS OCR — confirming 2,740 affected Trinity patients. Trinity’s slice is part of an alleged ~300,000 records improperly extracted across the Epic community via “sham NPIs” and shell clinical websites.
On March 20, 2026, Jackson v. Trinity Health Corporation et al. (2:26-cv-10948) was filed in the Eastern District of Michigan, suing Trinity AND Health Gorilla for failure to safeguard data flowing through the HIE.
Why HHS OCR classifies this as “Unauthorized Access/Disclosure at EMR”
The OCR taxonomy label fits but undersells the systemic story: data left Trinity’s Epic instance via an authorized HIE channel that was subsequently abused. It was not hacked. The federated-exchange pipe worked exactly as designed, with the wrong identity claim at the other end.
This is the rare HIPAA breach where the covered entity is also a plaintiff. The systemic implication: TEFCA and Carequality identity-verification governance has a gap that downstream actors can exploit at scale.
What was stolen
Per Trinity’s notice:
- Full name, age / date of birth, demographics
- Clinical care details, diagnoses, medical history elements
- Insurance information
- Driver’s license number (potentially)
Per the class action complaint (Jackson v. Trinity Health):
- Email addresses
- Location of service, dates of service
- Medical record numbers, member numbers, patient ID numbers
- Procedure names, provider names and specialties
- Transaction information
What Trinity Health is offering
- Credit monitoring and identity protection through Cyberscout (a TransUnion company)
- Duration: 12 months (per Vermont AG notice and Becker’s). HIPAA Journal reports 24 months — read your specific letter for the authoritative figure.
- Dedicated hotline: 1-833-877-5364 (Monday to Friday, 7 a.m. to 7 p.m. Central)
- Trinity states its HIE partner has suspended the named third-party connections
What to do
- Enroll in Cyberscout monitoring through the activation code in your letter.
- Place free credit freezes at Equifax, Experian, TransUnion.
- If you have ever received care at a Trinity Health ministry (Saint Joseph Mercy, Mercy Health, IHA, or any of the 90+ hospitals across 26 states), watch for a notification letter — your inclusion depends on whether your records were among those extracted.
- Be alert to mass-tort marketing solicitations — if you receive unsolicited contact from law firms or medical companies referencing your specific Trinity treatment history, that is potentially evidence of misuse.
- Consider joining the Jackson v. Trinity Health class action if you receive a notification letter. The case is pending in the E.D. Michigan.
- Stop the ongoing flow of your records through health information exchanges. HealthConsent files HIPAA restriction requests including across TEFCA / Carequality / eHealth Exchange pathways — these federated networks are difficult to opt out of through standard provider workflows.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HIPAA Journal: Trinity Health & UPMC Notify Patients of HIE Unauthorized Access
- Becker's Hospital Review: Trinity Health Notifies Patients of Data Exposure Tied to Health Gorilla
- Becker's Hospital Review: Trinity Health, Health Gorilla Sued
- Healthcare IT News: Epic and Health Systems Sue Health Gorilla
- Justia Dockets: Jackson v. Trinity Health Corporation et al.
- Vermont AG: 2026-03-13 Trinity Health Data Breach Notice
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.