Trinity Health and the University of Pittsburgh Medical Center (UPMC) have disclosed potential unauthorized access to patient data linked to a Health Information Exchange (HIE) involving a third-party interoperability platform.
Incident Details
Trinity Health, a non-profit Catholic health system based in Michigan manages more than 92 hospitals across 22 states. It reported the access to certain patient information without proper authorization. By participating in automated electronic data exchanges through Health Information Exchanges, healthcare providers are able to obtain patient information for treatment purposes wherever it is needed.
On January 13, 2026, Trinity Health’s HIE partner reported a potential issue involving Health Gorilla. Health Gorilla provides an interoperability platform that processes data access requests for client companies and grants network access to organizations seeking patient information for treatment-related purposes.
The HIE partner indicated that Health Gorilla represented that the data access requests were made for treatment purposes. The partner also stated it could not confirm whether those representations were accurate or whether the companies that obtained the data had appropriate authorization.
Information Potentially Involved
Trinity Health identified several categories of data that may have been accessed, including clinical care information, demographic details, insurance data, and in some instances driver’s license numbers. The organization has not disclosed how many individuals may be affected.
Another unauthorized access occurred through a Health Information Exchange and also involved Health Gorilla. Patients of the University of Pittsburgh Medical Center were affected by the incident. UPMC received notification of the potential unauthorized access from its electronic medical record vendor, Epic. UPMC indicated that the information potentially accessed included patient names, ages, diagnoses, and additional details from medical histories.
Response Measures
Health Gorilla has suspended access to the Health Information Exchange for the companies involved in the incident. Trinity Health has begun notifying affected individuals and is providing 24 months of credit monitoring and identity theft protection services.
The University of Pittsburgh Medical Center has also initiated patient notifications. The incident has been reported to the U.S. HHS Office for Civil Rights. However, the incident is not yet posted on the OCR breach portal, and the number of affected individuals has not been disclosed.
Regulatory Context
The reported activity involves potential unauthorized access to protected health information (PHI) within systems designed to support data sharing for treatment purposes. The inability to confirm whether access was authorized presents compliance considerations under the HIPAA Privacy Rule and the HIPAA Security Rule related to permissible disclosures and access management.
No additional findings or enforcement actions have been reported. Other healthcare organizations are expected to issue notifications related to similar activity connected to the same HIE and interoperability platform. The full scope of the impact has not been determined.
Image credits: ipopba / WhataWin, Adobestock
