Overview of the Lawsuit
Trinity Health Corp. and Health Gorilla Inc. now face a proposed class action lawsuit. Plaintiffs filed the case in Michigan federal court on March 20, 2026. The case, Jackson v. Trinity Health Corporation et al (Case No. 2:26-cv-10948), landed in the Eastern District of Michigan. Plaintiffs allege that both organizations failed to protect sensitive patient information. They claim the firms allowed patient data to flow improperly through a health information exchange (HIE) platform.
Furthermore, this lawsuit arrives amid intense scrutiny over how patient data moves between healthcare networks — and who ultimately controls it.
How the Data Breach Unfolded
The January 2026 Discovery
On January 13, 2026, Trinity Health learned from its HIE partner about potential unauthorized access to patient health information. The incident centers on Health Gorilla. The company operates an interoperability platform and manages data access requests for client organizations.
Health Gorilla’s Role
Health Gorilla grants network access to companies that need patient data for treatment purposes. However, the HIE partner could not verify Health Gorilla’s claims. It also could not confirm whether recipient companies held proper authorizations for the data they obtained.
Alleged Misuse of Patient Records
The companies in question allegedly operate as organized syndicates to monetize patient records without patients’ knowledge or consent. These firms requested records for treatment purposes. Then they used those records for other purposes — including marketing them to lawyers seeking potential claimants.
Additionally, Health Gorilla allegedly enabled health tech companies such as Mammoth, RavillaMed, LlamaLab, Unit 387, SelfRx, and GuardDog to improperly access and monetize nearly 300,000 patient medical records from members of the Epic community.
What Patient Information Was Exposed?
Categories of Compromised Data
The types of information that may have been disclosed vary by individual. They may include clinical care details, demographic information, insurance information, and potentially driver’s license numbers.
Additional Data Categories
Regulatory filings list additional exposed categories. These include medical records, email addresses, location of service, medical record numbers, member numbers, patient ID numbers, patient names, procedure names, provider names and specialties, and transaction information.
Trinity Health has not disclosed the total number of affected individuals. The organization reported the incident to the HHS Office for Civil Rights. However, it does not yet appear on the breach portal.
Trinity Health’s Response to Affected Patients
Credit Monitoring and Identity Protection
Trinity Health is notifying patients about a potential unauthorized disclosure of health information involving a third-party participant in a data-sharing network. In response, Trinity Health has begun notifying affected individuals and is providing 24 months of credit monitoring and identity theft protection services. Cyberscout, a TransUnion company, delivers these services.
Dedicated Assistance Line
Patients with questions can reach Trinity Health directly. The dedicated assistance line — 1-833-877-5364 — operates Monday through Friday. Affected individuals can also email the organization at privacyofficer@trinity-health.org.
The Broader Epic Systems Legal Battle
Epic and Health Systems Go to Court
Health Gorilla faces more than one legal challenge. The plaintiffs in a separate suit include Epic Systems along with health system customers OCHIN, Reid Health, Trinity Health, and UMass Memorial Health. They filed legal action to defend patient privacy and protect sensitive medical information from monetization for non-treatment purposes.
Allegations of a ‘Hydra’ Scheme
The lawsuit describes a recurring pattern of bad actors. When caught, rather than stopping their activity, the bad entity owners simply create new companies. The scheme operates like a Hydra — when one fraudulent entity is exposed, the bad actors birth a new one.
Health Gorilla Denies All Allegations
A Health Gorilla spokesperson said the company vehemently denies the allegations. The spokesperson called it yet another example of Epic’s exclusionary actions that limit competition and restrict access to healthcare data. Health Gorilla also filed a motion to dismiss. The company argues that the plaintiffs bypassed mandatory contractual dispute resolution procedures.
What Patients Can Do Now
Affected individuals should take the following steps promptly:
- Enroll in the complimentary credit monitoring Trinity Health offers through Cyberscout.
- Place a fraud alert or credit freeze with one of the three major credit bureaus.
- Review all credit reports and financial account statements for suspicious activity.
- Stay alert to phishing attempts from scammers posing as Trinity Health representatives.
- Call Trinity Health’s dedicated line at 1-833-877-5364 for personalized guidance.
Key Takeaways
The Trinity Health and Health Gorilla lawsuit highlights a growing vulnerability in healthcare. Data exchange networks are expanding. So too is the potential for misuse of patient information. This case — alongside the Epic-led federal lawsuit — may set critical legal precedents. Courts could soon define how patient health data gets governed, accessed, and protected across the United States.
