Trinity Health Data Breach Exposes Sensitive Patient Information
Trinity Health, one of the largest not-for-profit Catholic healthcare systems in the U.S., reported a data breach involving unauthorized access to sensitive patient information. The incident, discovered on January 5, 2023, occurred on December 16, 2022, and was linked to an automated Health Information Exchange (HIE).
The breach stemmed from a request by Health Gorilla, an HIE member, for patient data under the guise of treatment purposes. However, Trinity Health’s HIE partner could not verify whether Health Gorilla or the recipient entities had proper authorization to access the information.
Exposed data included driver’s licenses, medical records, clinical care details, insurance information, patient names, and other personally identifiable information (PII). The breach affected at least 51 individuals in Massachusetts, with potential impacts across Trinity Health’s network of 92 hospitals in 25 states.
Trinity Health, headquartered in Livonia, Michigan, employs over 133,000 staff and serves millions of patients. The organization reported the breach to the Massachusetts and Vermont attorneys general in March 2026, though the delay between discovery and notification remains unclear.
Legal firm Shamis & Gentile P.A. is investigating the incident, noting that affected individuals may be eligible for compensation. The breach highlights vulnerabilities in third-party data-sharing systems within healthcare.
Source: https://www.claimdepot.com/investigations/trinity-health-data-breach-2026
Trinity Health cybersecurity rating report: https://www.rankiteo.com/company/trinityhealth
"id": "TRI1773772378",
"linkid": "trinityhealth",
"type": "Breach",
"date": "12/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'At least 51 individuals in '
'Massachusetts, potentially '
'millions across the network',
'industry': 'Healthcare',
'location': 'Livonia, Michigan, USA',
'name': 'Trinity Health',
'size': '133,000+ employees, 92 hospitals in 25 states',
'type': 'Healthcare System'}],
'attack_vector': 'Third-party access via Health Information Exchange (HIE)',
'data_breach': {'number_of_records_exposed': 'At least 51 confirmed, '
'potentially millions',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Driver’s licenses',
'Medical records',
'Clinical care details',
'Insurance information',
'Patient names',
'Personally identifiable '
'information (PII)']},
'date_detected': '2023-01-05',
'date_publicly_disclosed': '2026-03',
'description': 'Trinity Health reported a data breach involving unauthorized '
'access to sensitive patient information due to an automated '
'Health Information Exchange (HIE) request. The breach exposed '
'driver’s licenses, medical records, clinical care details, '
'insurance information, patient names, and other personally '
'identifiable information (PII).',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'unauthorized data exposure',
'data_compromised': 'Driver’s licenses, medical records, clinical '
'care details, insurance information, patient '
'names, and other PII',
'identity_theft_risk': 'High',
'legal_liabilities': 'Potential legal actions and regulatory fines',
'systems_affected': 'Health Information Exchange (HIE) system'},
'investigation_status': 'Ongoing (legal investigation by Shamis & Gentile '
'P.A.)',
'lessons_learned': 'Vulnerabilities in third-party data-sharing systems '
'within healthcare, need for stricter verification of data '
'access requests',
'post_incident_analysis': {'root_causes': 'Unauthorized access via unverified '
'HIE data-sharing request'},
'recommendations': 'Enhance verification processes for third-party data '
'requests, implement stricter access controls, and improve '
'monitoring of HIE systems',
'references': [{'source': 'Cyber Incident Description'}],
'regulatory_compliance': {'legal_actions': 'Legal firm investigating '
'potential compensation for '
'affected individuals',
'regulations_violated': ['Potential HIPAA '
'violations'],
'regulatory_notifications': 'Reported to '
'Massachusetts and '
'Vermont attorneys '
'general'},
'response': {'communication_strategy': 'Reported to Massachusetts and Vermont '
'attorneys general',
'third_party_assistance': 'Legal firm Shamis & Gentile P.A. '
'investigating the incident'},
'title': 'Trinity Health Data Breach Exposes Sensitive Patient Information',
'type': 'Data Breach',
'vulnerability_exploited': 'Unauthorized access due to unverified '
'data-sharing requests'}