Sensitive personal and medical information belonging to patients of a large not-for-profit health system was allegedly accessed and disclosed without authorization through a national health information exchange platform, according to a class action complaint filed in federal court. The complaint, brought by an individual patient on behalf of others similarly situated, was submitted on March 24, 2026, in the United States District Court for the Eastern District of Michigan against Trinity Health Corporation and Health Gorilla Inc.
The plaintiff, Justina Pabon, filed the suit after receiving notice that her protected health information may have been compromised as part of what she describes as an extensive unauthorized access scheme involving both Trinity Health Corporation—a major operator of hospitals across 25 states—and Health Gorilla Inc., which operates as a gatekeeper for nationwide electronic medical record exchanges.
According to the filing, the case does not involve a conventional data breach by external hackers but instead centers on entities that gained access to patient records by “falsely representing that they needed patient records for treatment purposes.” The complaint alleges these entities exploited their access for commercial gain, including providing records to law firms and other third parties for non-treatment purposes. The document states that Trinity was notified by its health information exchange partner about potential unauthorized disclosures on or about January 13, 2026. Trinity began notifying affected patients around March 13, 2026—approximately 59 days later—informing them that compromised data could include clinical care details, demographic information, insurance details, and possibly driver’s license numbers.
The scope of the alleged unauthorized access is described as substantial. The complaint references another lawsuit filed earlier in California federal court by Epic Systems Corporation (along with Trinity and other providers) against Health Gorilla. That lawsuit claims that approximately 300,000 patient medical records from Epic-using healthcare providers were improperly accessed via entities connected through Health Gorilla. The actual number of Trinity-specific patients affected has not been publicly disclosed.
The complaint highlights admissions made by GuardDog Telehealth—a client onboarded by Health Gorilla—which entered into a stipulated judgment in related litigation. GuardDog admitted its business focused on “requesting, reviewing, and summarizing medical records” for law firms rather than providing chronic care management or remote monitoring as initially claimed. GuardDog further stated it believed Health Gorilla was aware of these activities.
Plaintiff Pabon alleges direct harm following notification of the breach: increased spam calls and emails to contact information provided to Trinity; receipt of notifications for purchases she did not make; attempted fraudulent charges; time spent monitoring accounts; anxiety; emotional distress; and loss of value from her relationship with Trinity. She attributes these incidents to the compromise of her private information linked to the breach.
The legal arguments presented in the filing center on claims that both defendants failed in their respective duties to safeguard patient data under federal regulations such as HIPAA (Health Insurance Portability and Accountability Act), industry standards, contractual obligations under interoperability frameworks like TEFCA (Trusted Exchange Framework and Common Agreement), Carequality agreements, and their own public representations regarding data security. The plaintiff asserts that both organizations failed to exercise reasonable oversight over third-party participants who could access sensitive data through these networks.
Specifically named are several entities allegedly onboarded by Health Gorilla—including RavillaMed PLLC—which had previously been removed from similar frameworks due to suspicious activity but was later allowed access again through Health Gorilla’s platform. Other named entities include Mammoth Path Solutions/MammothDx, SelfRx/Myself.Health, Unit 387 LLC, Integritort, Constant Care Health, among others. According to allegations cited from related litigation documents referenced in this case file: “when one fraudulent entity is exposed,” new companies are created “to continue the same conduct.”
The plaintiff seeks certification as a class action representing all individuals whose personally identifiable or protected health information was accessed or compromised via Trinity’s partnership with Health Gorilla’s exchange platform. Requested remedies include compensatory damages; restitution; punitive damages against Health Gorilla for alleged reckless conduct; injunctive relief requiring improved data security practices and oversight mechanisms; extended credit monitoring services at no cost; establishment of notification processes for future incidents; disgorgement of unjustly received proceeds; attorneys’ fees; costs; interest; and any other relief deemed appropriate by the court.
The attorney listed for the plaintiff is Nick Suciu II of Bryson Harris Suciu & DeMay PLLC based in Bloomfield Hills, Michigan. The case is identified as Case No. 2:26-cv-10989-LJM-Cl.
Source: 226cv10989_Justina_Pabon_v_Trinity_Health_Corporation_Complaint_Eastern_District_of_Michigan.pdf
