UPMC Data Breach 2026 (Health Gorilla HIE Scandal): 687 Patients Exposed Through Abused TEFCA Pipeline. What To Do
The University of Pittsburgh Medical Center (UPMC) disclosed in March 2026 that its patient records were extracted through an abused Health Information Exchange (HIE) pipeline operated by Health Gorilla. Records funneled to law firms under sham NPIs and a 'treatment purposes' pretext. 687 UPMC patients exposed. Parallel to Trinity Health 2026 filing. No SSN; clinical notes, visit reasons, diagnoses exposed. No credit monitoring offered (no financial data in scope). Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jan 13, 2026
Epic Systems notifies UPMC of unauthorized HIE access flagged via network monitoring
Jan 13, 2026
Attacker gained access
Mar 13, 2026
UPMC publicly announces breach; patient notification letters sent; statement posted to upmc.com/privacy-info/alerts
Mar 13, 2026
Disclosed publicly
Mar 14, 2026
HHS OCR filing
Mar 17, 2026
Lynch Carpenter announces class action investigation
Jan 13, 2026
Epic Systems notifies UPMC of unauthorized HIE access flagged via network monitoring
Jan 13, 2026
Attacker gained access
Mar 13, 2026
UPMC publicly announces breach; patient notification letters sent; statement posted to upmc.com/privacy-info/alerts
Mar 13, 2026
Disclosed publicly
Mar 14, 2026
HHS OCR filing
Mar 17, 2026
Lynch Carpenter announces class action investigation
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
This is not a classic data breach. UPMC is part of the Epic / Health Gorilla Health Information Exchange (HIE) scandal — the same systemic incident that affected Trinity Health and other Epic-community health systems in early 2026.
The University of Pittsburgh Medical Center (UPMC) is a major integrated health system based in Pittsburgh, PA, running on the Epic EHR.
On January 13, 2026, Epic Systems notified UPMC that its network monitoring had flagged unauthorized HIE access against UPMC’s records. Health Gorilla, a QHIN / interoperability platform on the TEFCA / Carequality network, and “certain network participants” had submitted electronic record requests under the pretext of providing treatment to shared patients — but the records were actually being routed to law firms for mass-tort and litigation-driver purposes. Sham or fraudulent NPIs were used to construct the appearance of legitimate treatment relationships.
Parallel reporting on Michigan Medicine references approximately 300,000 records pulled across Epic-community health systems via this scheme.
UPMC publicly announced the breach on March 13, 2026, sent patient notification letters, and filed with HHS OCR on March 14, 2026 — confirming 687 affected UPMC patients. On March 17, 2026, Pittsburgh-based Lynch Carpenter LLP announced a class action investigation.
UPMC characterizes the incident as abuse of the TEFCA / national exchange trust framework — records left UPMC’s Epic instance via an authorized HIE channel that downstream actors abused, not a hack of UPMC’s systems.
Why HHS OCR classifies this as “Unauthorized Access/Disclosure at Other”
The “Other” location code captures the HIE-as-business-associate categorization. Records moved through an authorized federated-exchange pipe with the wrong identity claim at the other end. The systemic implication: TEFCA and Carequality identity-verification governance has a gap that downstream actors can exploit at scale.
What was stolen
Per UPMC’s notice:
- Full name, date of birth, age
- Clinical notes, visit reasons, diagnoses
- Medical history, orders, test results
Explicitly NOT in scope: Social Security number. UPMC’s notice frames the exposure as clinical-only — no insurance info or driver’s licenses mentioned (a notable difference from Trinity Health’s same-incident filing, which included DL).
What UPMC is offering
- Written notice to affected individuals
- Toll-free line: 1-855-460-8762 (Monday to Friday, 9 a.m. to 5 p.m. Eastern)
No credit monitoring or Cyberscout / identity protection program is mentioned in UPMC’s notice. This contrasts with Trinity Health’s same-incident filing (24 months of Cyberscout). The absence is likely because no SSN or financial data was exposed in UPMC’s case — but if your name is on the leaked clinical records, the exposure is still consequential for mass-tort marketing and unwanted attorney contact.
What to do
- Watch your insurance Explanation of Benefits for unfamiliar claims (low risk here given the clinical-only exposure).
- Be alert to mass-tort marketing solicitations — if you receive unsolicited contact from law firms or medical companies referencing your specific UPMC treatment history, that is potentially evidence of misuse from this leak.
- Document any solicitation that names a specific UPMC visit, diagnosis, or treatment detail — these documents may be valuable in the pending Epic v. Health Gorilla litigation and any future class action.
- Call UPMC at 1-855-460-8762 if you have questions or want to verify whether your records were among those flagged.
- Stop the ongoing flow of your records through health information exchanges. HealthConsent files HIPAA restriction requests including across TEFCA / Carequality / eHealth Exchange pathways — these federated networks are difficult to opt out of through standard provider workflows.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- UPMC: Privacy and Breach Alerts
- UPMC Inside: National Medical Exchange Concern
- HIPAA Journal: Trinity Health & UPMC HIE Unauthorized Access
- Becker's Hospital Review: Epic Flags Improper Access to UPMC Patient Records
- Modern Healthcare: UPMC / Epic / Health Gorilla Coverage
- ClassAction.org: UPMC March 2026
- Lynch Carpenter Investigation Release
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.