Active breach tracker Pittsburgh, PA Disclosed March 13, 2026 Part of Health Gorilla HIE cluster

UPMC Data Breach 2026 (Health Gorilla HIE Scandal): 687 Patients Exposed Through Abused TEFCA Pipeline. What To Do

The University of Pittsburgh Medical Center (UPMC) disclosed in March 2026 that its patient records were extracted through an abused Health Information Exchange (HIE) pipeline operated by Health Gorilla. Records funneled to law firms under sham NPIs and a 'treatment purposes' pretext. 687 UPMC patients exposed. Parallel to Trinity Health 2026 filing. No SSN; clinical notes, visit reasons, diagnoses exposed. No credit monitoring offered (no financial data in scope). Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 13, 2026

Epic Systems notifies UPMC of unauthorized HIE access flagged via network monitoring

Jan 13, 2026

Attacker gained access

Mar 13, 2026

UPMC publicly announces breach; patient notification letters sent; statement posted to upmc.com/privacy-info/alerts

Mar 13, 2026

Disclosed publicly

Mar 14, 2026

HHS OCR filing

Mar 17, 2026

Lynch Carpenter announces class action investigation

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth, age Explicitly NOT in scope: Social Security number

02

Health records

Don't expire and can't be reissued

Clinical notes Diagnoses Test results

03

Contact & insurance

Phishing + targeted scams

Full name Visit reasons Medical history Orders

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Lynch Carpenter LLP (Pittsburgh; investigation announced 2026-03-17) Bryson Harris Suciu & DeMay PLLC (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

This is not a classic data breach. UPMC is part of the Epic / Health Gorilla Health Information Exchange (HIE) scandal — the same systemic incident that affected Trinity Health and other Epic-community health systems in early 2026.

The University of Pittsburgh Medical Center (UPMC) is a major integrated health system based in Pittsburgh, PA, running on the Epic EHR.

On January 13, 2026, Epic Systems notified UPMC that its network monitoring had flagged unauthorized HIE access against UPMC’s records. Health Gorilla, a QHIN / interoperability platform on the TEFCA / Carequality network, and “certain network participants” had submitted electronic record requests under the pretext of providing treatment to shared patients — but the records were actually being routed to law firms for mass-tort and litigation-driver purposes. Sham or fraudulent NPIs were used to construct the appearance of legitimate treatment relationships.

Parallel reporting on Michigan Medicine references approximately 300,000 records pulled across Epic-community health systems via this scheme.

UPMC publicly announced the breach on March 13, 2026, sent patient notification letters, and filed with HHS OCR on March 14, 2026 — confirming 687 affected UPMC patients. On March 17, 2026, Pittsburgh-based Lynch Carpenter LLP announced a class action investigation.

UPMC characterizes the incident as abuse of the TEFCA / national exchange trust framework — records left UPMC’s Epic instance via an authorized HIE channel that downstream actors abused, not a hack of UPMC’s systems.

Why HHS OCR classifies this as “Unauthorized Access/Disclosure at Other”

The “Other” location code captures the HIE-as-business-associate categorization. Records moved through an authorized federated-exchange pipe with the wrong identity claim at the other end. The systemic implication: TEFCA and Carequality identity-verification governance has a gap that downstream actors can exploit at scale.

What was stolen

Per UPMC’s notice:

  • Full name, date of birth, age
  • Clinical notes, visit reasons, diagnoses
  • Medical history, orders, test results

Explicitly NOT in scope: Social Security number. UPMC’s notice frames the exposure as clinical-only — no insurance info or driver’s licenses mentioned (a notable difference from Trinity Health’s same-incident filing, which included DL).

What UPMC is offering

  • Written notice to affected individuals
  • Toll-free line: 1-855-460-8762 (Monday to Friday, 9 a.m. to 5 p.m. Eastern)

No credit monitoring or Cyberscout / identity protection program is mentioned in UPMC’s notice. This contrasts with Trinity Health’s same-incident filing (24 months of Cyberscout). The absence is likely because no SSN or financial data was exposed in UPMC’s case — but if your name is on the leaked clinical records, the exposure is still consequential for mass-tort marketing and unwanted attorney contact.

What to do

  1. Watch your insurance Explanation of Benefits for unfamiliar claims (low risk here given the clinical-only exposure).
  2. Be alert to mass-tort marketing solicitations — if you receive unsolicited contact from law firms or medical companies referencing your specific UPMC treatment history, that is potentially evidence of misuse from this leak.
  3. Document any solicitation that names a specific UPMC visit, diagnosis, or treatment detail — these documents may be valuable in the pending Epic v. Health Gorilla litigation and any future class action.
  4. Call UPMC at 1-855-460-8762 if you have questions or want to verify whether your records were among those flagged.
  5. Stop the ongoing flow of your records through health information exchanges. HealthConsent files HIPAA restriction requests including across TEFCA / Carequality / eHealth Exchange pathways — these federated networks are difficult to opt out of through standard provider workflows.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.