Trinity Health Data Breach Exposes Health Information

Trinity Health, one of the largest not-for-profit Catholic health care systems in the United States, reported a data breach involving the unauthorized disclosure of patient health information through an electronic Health Information Exchange (HIE).

The breach affected at least 51 residents of Massachusetts, according to a filing with that state's Office of Consumer Affairs and Business Regulation.

Trinity Health was notified of the potential unauthorized disclosure on Jan. 13, 2026. The company began notifying affected individuals and state regulators in March 2026.

How The Breach Happened

According to regulatory filings, the unauthorized disclosure occurred on Dec. 16, 2022.

On Jan. 13, 2026, Trinity Health was notified by its HIE partner of a potential unauthorized disclosure of patient health information, according to the consumer notice. An HIE member called Health Gorilla, which manages data exchange requests for certain other companies, had stated that patient health information was needed for treatment purposes.

However, the HIE was unable to confirm Health Gorilla's statements or whether the companies that received the information had proper authorizations for the data they obtained through the exchange, according to the notice.

This raised concerns that patient data may have been shared without appropriate authorization.

The types of information that may have been disclosed vary based on the content of the information exchanged but may have included clinical care details, demographic information, insurance information and potentially driver license numbers.

Additional categories of exposed information listed in regulatory filings include medical records, email addresses, location of service, medical record numbers, member numbers, patient ID numbers, patient names, procedure names, provider names and specialties, and transaction information.

The breach was reported to the Massachusetts Attorney General and the Vermont Attorney General.

Trinity Health's response

Trinity Health is offering complimentary credit monitoring and identity protection services to affected individuals at no charge. The services are being provided by Cyberscout, a TransUnion company.

According to the consumer notices, Massachusetts residents are being offered 12 months of monitoring, while Vermont residents are being offered 24 months of monitoring.

Trinity Health has set up a dedicated assistance line for people with questions about the incident. Affected individuals can call 1-833-877-5364, Monday through Friday, between 7 a.m. and 7 p.m. CT, excluding holidays.

People may also write to Trinity Health at 20555 Victor Parkway, Livonia, MI 48152 or email privacyofficer@trinity-health.org.

Steps to take if your information was exposed

Monitor Explanation of Benefits statements. People who receive an Explanation of Benefits (EOB) statement from their health insurance provider should review it carefully. They should look for any services, procedures or provider visits they do not recognize.

Watch for signs of insurance fraud. Since insurance information was potentially exposed, affected individuals should be alert to any unexpected bills, claims or correspondence from health care providers they have not visited. They should contact their insurance company if they notice any suspicious activity.

Take advantage of the free credit monitoring. Because driver license numbers were potentially exposed, affected individuals should consider enrolling in the complimentary credit monitoring services offered by Trinity Health through Cyberscout. Driver license numbers can be used in identity theft, so monitoring credit activity is an important precaution.

Consider placing a fraud alert or credit freeze. A fraud alert is a free, one-year notice placed on a credit file that requires businesses to verify a person's identity before extending new credit. Victims of identity theft may request an extended fraud alert lasting seven years. A credit freeze goes further by preventing a credit bureau from releasing information without express authorization. Either option can be set up by contacting any one of the three major credit reporting bureaus:

• Equifax: 1-800-685-1111
• Experian: 1-888-397-3742
• TransUnion: 1-800-680-7289

Review credit reports regularly. Under federal law, every person is entitled to one free credit report per year from each of the three major credit reporting bureaus. These reports can be ordered at AnnualCreditReport.com or by calling 1-877-322-8228. When reviewing a credit report, people should look for accounts they did not open or credit inquiries they did not authorize.

Be cautious of phishing attempts. After any data breach, scammers may send emails or make phone calls pretending to be from Trinity Health or a related organization. People should be cautious of any unsolicited messages that reference this breach and ask for personal information. Trinity Health's legitimate contact information for this incident is the dedicated phone line at 1-833-877-5364 and the email address privacyofficer@trinity-health.org.