Trinity Health Data Breach Exposes Medical Records and Driver License Numbers

Healthcare data breach illustration
Breach Discovery: 13th January 2026Breach Notification: 13th March 2026

What Happened in the Trinity Health Data Breach?

Trinity Health, one of the largest not-for-profit Catholic health care systems in the United States, has disclosed a data breach tied to an electronic Health Information Exchange, or HIE. The Trinity Health data breach involves the unauthorized disclosure of patient health information. As a result, thousands of patients now face potential exposure of sensitive medical and personal details.

According to regulatory filings, Trinity Health was notified by its HIE partner on Jan. 13, 2026, of a potential unauthorized disclosure. An HIE member known as Health Gorilla, which manages data exchange requests for certain other companies, claimed that patient health information was needed for treatment purposes. However, the HIE could not confirm those claims. It also could not verify whether the companies that received the information actually had proper authorization to obtain it.

Because the HIE was unable to validate these authorization claims, Trinity Health launched an investigation into the scope of the disclosure. This review has led to updates in the number of affected individuals over time. Initially, Trinity Health reported 2,740 affected people. That number has since grown to 5,905, showing that the investigation is ongoing and evolving.

Trinity Health reported the incident to the Massachusetts Attorney General, the Vermont Attorney General, and the U.S. Department of Health and Human Services. These filings confirm that this is a real and verified data breach, not merely a suspected incident. The involvement of multiple state regulators and a federal agency underscores the seriousness of the disclosure.

Who was affected?

The Trinity Health data breach affects patients whose health information passed through the HIE system involved in the incident. As a result, the people affected are primarily patients rather than employees. Because the breach happened through a data exchange network, it may touch individuals across multiple states.

Regulatory filings confirm that 5,905 individuals were affected in total, including 51 residents of Massachusetts. This figure has already increased once since the initial report, and it is possible that further updates could follow. Currently, the full state-by-state breakdown of affected patients has not been publicly disclosed beyond the Massachusetts and Vermont notifications.

Given that the breach occurred through a health information exchange rather than a single hospital system, the exposure may involve patients who interacted with multiple providers connected to the exchange. This means some individuals may not immediately realize their information passed through Trinity Health’s systems at all. Consequently, patients should not assume they are unaffected simply because they do not recall a direct relationship with Trinity Health.

What Information Was Potentially Exposed?

The categories of information involved in this breach vary depending on what specific data was exchanged for each patient. However, regulatory filings outline a broad range of sensitive information that may have been disclosed.

  • Clinical care details
  • Demographic information
  • Insurance information
  • Driver license numbers
  • Medical records
  • Email addresses
  • Location of service
  • Medical record numbers
  • Member numbers
  • Patient ID numbers
  • Patient names
  • Procedure names
  • Provider names and specialties
  • Transaction information

Because this breach includes medical records and clinical details, affected patients face a heightened risk of medical identity theft. For example, someone could use stolen medical record numbers or insurance information to fraudulently obtain treatment or prescriptions in a victim’s name. This type of fraud can be especially damaging because it can corrupt a person’s actual medical history.

In addition, the presence of driver license numbers raises the risk of traditional identity theft. Criminals could use this information, combined with names and demographic details, to open fraudulent accounts or file false tax returns. Since insurance information was also involved, there is further risk of insurance fraud, where bad actors submit false claims using a victim’s coverage details.

What is the company doing?

In response to the breach, Trinity Health has begun notifying affected individuals as required under state and federal law. The organization filed breach notifications with the Massachusetts Attorney General and the Vermont Attorney General, and it also reported the incident to the U.S. Department of Health and Human Services. This multi-agency reporting reflects the seriousness with which Trinity Health has treated the disclosure.

As part of its ongoing response, Trinity Health is offering complimentary credit monitoring and identity protection services to affected individuals at no charge. These services are being provided through Cyberscout, a TransUnion company. This offer gives patients a practical tool to help detect any misuse of their information going forward.

Furthermore, Trinity Health has set up a dedicated assistance line for people with questions about the incident. Affected individuals can call 1-833-877-5364, Monday through Friday, from 7 a.m. to 7 p.m. CT, excluding holidays. People may also reach out by mail to Trinity Health at 20555 Victor Parkway, Livonia, MI 48152, or by email to privacyofficer@trinity-health.org.

What Should Affected Individuals Do?

Enroll in the Free Credit Monitoring Offered

Affected individuals should take advantage of the complimentary credit monitoring and identity protection services offered by Trinity Health. Because these services are provided at no cost through Cyberscout, a TransUnion company, there is little reason not to enroll. Doing so can help detect suspicious activity early.

To enroll, patients should follow the instructions included in their breach notification letter. If a letter has not been received but a patient believes they may be affected, they should contact the dedicated assistance line for guidance. Acting promptly ensures monitoring begins as soon as possible.

Watch for Signs of Medical Identity Theft

Because medical records and insurance information were involved, affected patients should carefully review any medical bills, insurance statements, or explanation-of-benefits documents. If any unfamiliar treatments, providers, or charges appear, this could indicate that someone else used a victim’s medical identity. Reporting these discrepancies quickly can limit further damage.

In addition, patients should request copies of their medical records periodically to check for inaccuracies. This is especially important because medical identity theft can lead to incorrect information being added to a patient’s permanent health history. Correcting these errors early can prevent complications with future medical care.

Consider a Fraud Alert or Credit Freeze

Since driver license numbers and other personal details were potentially exposed, affected individuals should consider placing a fraud alert or credit freeze with the major credit bureaus. A fraud alert makes it harder for identity thieves to open new accounts in a victim’s name. A credit freeze goes even further by restricting access to a person’s credit report entirely.

Setting up either protection is generally free and can be done directly through Equifax, Experian, and TransUnion. Although a credit freeze offers stronger protection, it does require temporarily lifting the freeze when applying for new credit. Therefore, individuals should weigh their personal circumstances when choosing between the two options.

Stay Alert for Phishing Attempts

Following any healthcare data breach, scammers often try to exploit the situation through phishing emails, calls, or texts. As a result, affected individuals should be cautious of unsolicited messages claiming to be from Trinity Health, Cyberscout, or credit bureaus. Legitimate organizations will not ask for sensitive information over unverified channels.

Instead of clicking links or replying directly, individuals should verify communications by calling Trinity Health’s dedicated assistance line. This simple step can prevent falling victim to secondary scams that often follow major data breaches. Staying alert during the months after a breach is especially important, since criminals may wait before attempting to use stolen data.

Consult a Data Breach Attorney

Given the sensitive nature of the exposed medical and personal information, affected individuals may want to speak with a data breach attorney. An attorney can help evaluate whether a person qualifies for compensation related to the incident. This is particularly relevant since regulatory filings confirm real harm through unauthorized disclosure.

Because breach investigations often evolve, as shown by the increase from 2,740 to 5,905 affected individuals, legal guidance can help patients understand their rights as new information emerges. Many attorneys offer free consultations, so seeking advice generally costs nothing upfront. This can be a valuable step for anyone concerned about long-term risks from this breach.



More Information

Official Notice from Trinity Health

Official Notice from Mass

Official Notice from Vermont

HHS Office for Civil Rights Breach Notification Portal

Related Data Breaches