Trinity Health Data Breach Exposes Government IDs and Health Information

Trinity Health, one of the largest not-for-profit Catholic health care systems in the United States, reported a data breach involving the unauthorized disclosure of patient health information through an electronic Health Information Exchange (HIE).

The breach was reported to the Massachusetts Attorney General and the Vermont Attorney General, as well as the U.S. Department of Health and Human Services.

The breach affected 2,740 individuals, including 51 residents of Massachusetts.

How The Breach Happened

On Jan. 13, 2026, Trinity Health was notified by its HIE partner of a potential unauthorized disclosure of patient health information. An HIE member called Health Gorilla, which manages data exchange requests for certain other companies, had stated that patient health information was needed for treatment purposes.

However, the HIE was unable to confirm Health Gorilla's statements or whether the companies that received the information had proper authorizations for the data they obtained through the exchange, according to the notice.

This raised concerns that patient data may have been shared without appropriate authorization.

The types of information that may have been disclosed vary based on the content of the information exchanged but may have included clinical care details, demographic information, insurance information and potentially driver license numbers.

Additional categories of exposed information listed in regulatory filings include medical records, email addresses, location of service, medical record numbers, member numbers, patient ID numbers, patient names, procedure names, provider names and specialties, and transaction information.

Trinity Health's response

Trinity Health is offering complimentary credit monitoring and identity protection services to affected individuals at no charge. The services are being provided by Cyberscout, a TransUnion company.

Trinity Health has set up a dedicated assistance line for people with questions about the incident. Affected individuals can call 1-833-877-5364, Monday through Friday, between 7 a.m. and 7 p.m. CT, excluding holidays.

People may also write to Trinity Health at 20555 Victor Parkway, Livonia, MI 48152 or email privacyofficer@trinity-health.org.

Steps to take if your information was exposed

Monitor Explanation of Benefits statements. People who receive an Explanation of Benefits (EOB) statement from their health insurance provider should review it carefully. They should look for any services, procedures or provider visits they do not recognize.

Watch for signs of insurance fraud. Since insurance information was potentially exposed, affected individuals should be alert to any unexpected bills, claims or correspondence from health care providers they have not visited. They should contact their insurance company if they notice any suspicious activity.

Take advantage of the free credit monitoring. Because driver license numbers were potentially exposed, affected individuals should consider enrolling in the complimentary credit monitoring services offered by Trinity Health through Cyberscout.

Consider placing a fraud alert or credit freeze. A fraud alert is a free, one-year notice placed on a credit file that requires businesses to verify a person's identity before extending new credit. A credit freeze goes further by preventing a credit bureau from releasing information without express authorization.

Either option can be set up by contacting any one of the three major credit reporting bureaus:

• Equifax: 1-800-685-1111
• Experian: 1-888-397-3742
• TransUnion: 1-800-680-7289

Review credit reports regularly. Under federal law, every person is entitled to one free credit report per year from each of the three major credit reporting bureaus. These reports can be ordered at AnnualCreditReport.com or by calling 1-877-322-8228.

Be cautious of phishing attempts. After any data breach, scammers may send emails or make phone calls pretending to be from Trinity Health or a related organization. People should be cautious of any unsolicited messages that reference this breach and ask for personal information.