The Trinity Health Ransomware Data Breach Class Action relates to a March 2023 cyberattack that compromised the personal health information of approximately 21,000 patients. A settlement agreement was reached on April 17, 2025, establishing a fund of up to $200,000 to compensate affected individuals for the unauthorized access to their sensitive medical and financial data. Class members can receive a maximum reimbursement of $1,000 per person, though the actual per-person payout depends on how many patients file valid claims and the types of damages submitted for approval. This settlement represents one of several data incidents affecting Trinity Health patients over recent years.
While the March 2023 breach affected a relatively smaller subset of patients compared to earlier incidents, it illustrates an ongoing pattern of inadequate data safeguarding at the healthcare system. The settlement process provides affected patients a legal recourse for identity theft protection costs, credit monitoring expenses, time spent remedying fraud, and out-of-pocket losses directly resulting from the breach. The claim deadline of January 19, 2026, is now imminent, making it critical for eligible patients to understand their eligibility, what documentation they need, and how to submit their claims. Patients who were notified of the March 2023 breach and received exposure to the compromised data systems are generally eligible to participate in this class action settlement.
Table of Contents
- WHAT HAPPENED IN THE TRINITY HEALTH MARCH 2023 RANSOMWARE ATTACK?
- HOW DOES THIS SETTLEMENT COMPARE TO TRINITY HEALTH’S OTHER DATA BREACHES?
- WHAT INFORMATION WAS EXPOSED IN THE MARCH 2023 BREACH?
- WHO IS ELIGIBLE TO CLAIM COMPENSATION, AND HOW MUCH COULD YOU RECEIVE?
- WHAT ARE THE DEADLINES, AND WHAT HAPPENS IF YOU MISS THEM?
- UNDERSTANDING THE SETTLEMENT TERMS AND WHAT YOU SHOULD KNOW ABOUT THE ADMINISTRATORS
- WHAT SHOULD TRINITY HEALTH PATIENTS DO NOW?
- Conclusion
WHAT HAPPENED IN THE TRINITY HEALTH MARCH 2023 RANSOMWARE ATTACK?
The unauthorized access occurred between March 7, 2023, and April 4, 2023, affecting patient records stored within Trinity health‘s systems. During this one-month window, attackers gained entry to sensitive personal information including names, dates of birth, Social Security numbers, medical record numbers, health insurance information, and clinical details. The breach exposed data belonging to approximately 21,000 patients across Trinity Health’s network of healthcare facilities and imaging centers.
Trinity Health notified affected patients of the breach and attributed the incident to “inadequate safeguarding” of patient data. This language suggests that the health system failed to implement standard cybersecurity protections—such as multi-factor authentication, network segmentation, regular security audits, or timely software patching—that would be expected in healthcare environments holding highly sensitive information. The allegation is significant because HIPAA regulations require healthcare organizations to maintain reasonable and appropriate safeguards to prevent unauthorized access. For context, major healthcare breaches of this era often resulted from unpatched servers, weak access controls, or phishing attacks targeting employee credentials—vulnerabilities that should have been detected and remedied through proper security management.
HOW DOES THIS SETTLEMENT COMPARE TO TRINITY HEALTH’S OTHER DATA BREACHES?
Trinity Health has faced multiple significant data incidents, revealing a troubling pattern of security failures across the system. In 2021, the health system was compromised through an Accellion File Transfer Appliance (FTA) vulnerability, affecting over 586,000 patients. That breach was far larger than the March 2023 incident but stemmed from a known software vulnerability that Trinity Health failed to patch promptly. The 2021 settlement totaled $450,000, with the remaining balance after attorney fees and administrative costs distributed among a much larger patient population—meaning individual payouts were likely minimal despite affecting hundreds of thousands of people.
The 2024 Health Gorilla incident represents yet another access problem: approximately 300,000 individuals had their data exposed through unauthorized access via the Health Gorilla data-sharing network, discovered on January 13, 2024, but not disclosed to patients until March 13, 2024—a 60-day delay. A lawsuit was filed on March 20, 2024, in the U.S. District Court for the Eastern District of Michigan, alleging negligence, breach of implied contract, and unjust enrichment. This pattern across three separate incidents raises concerns about whether Trinity Health has adequately invested in security infrastructure or whether systemic failures remain unaddressed. For affected patients, being involved in multiple breaches from the same healthcare provider amplifies the identity theft and fraud risk compared to a single isolated incident.
WHAT INFORMATION WAS EXPOSED IN THE MARCH 2023 BREACH?
The compromised data included categories of personal information that criminals typically use for identity theft and fraud. Names, dates of birth, and Social Security numbers are the “holy grail” for identity thieves—these three pieces of information alone are sufficient to open fraudulent accounts, apply for credit, file false tax returns, or commit medical identity fraud. The inclusion of medical record numbers and health insurance information compounds the problem, as attackers can use this data to obtain prescription medications, schedule fake appointments, or submit fraudulent insurance claims. Clinical details and medical histories exposed in the breach have value in the black market, where prescription drug seeking and insurance fraud rings operate.
A patient’s medical record could reveal chronic conditions, medication regimens, or treatment histories that criminals exploit to order prescription opioids or other controlled substances. Unlike a credit card breach, where victims can dispute fraudulent charges and receive new card numbers, a healthcare data breach affects information that cannot be changed. Your date of birth and Social Security number remain the same for life, making healthcare breaches especially damaging for long-term identity theft risk. This is why many healthcare breach settlements include funding for credit monitoring services—affected patients need ongoing vigilance for years after the incident, not just immediate protection.
WHO IS ELIGIBLE TO CLAIM COMPENSATION, AND HOW MUCH COULD YOU RECEIVE?
To be eligible for this settlement, you must have been a patient at a Trinity Health facility whose data was compromised during the March 7–April 4, 2023 window. Typically, Trinity Health sent notification letters to all affected patients, and you should check your mail from April 2023 for official breach notification. If you cannot locate the original notification but believe you received care at a Trinity Health facility during that timeframe, you may still be eligible—contact the settlement administrator to verify your status. The settlement fund of $200,000 is divided among all eligible class members who submit valid claims, with a maximum cap of $1,000 per person. The actual per-person payout depends entirely on claim volume and submission patterns.
If only 5% of the 21,000 eligible patients file claims, individual payouts could average around $231. If 10% file claims, payouts drop to approximately $115. For comparison, the 2021 Accellion breach settlement of $450,000 distributed across 586,000+ patients resulted in much smaller individual awards after accounting for attorney fees and administration—a reminder that settlement payouts decrease when divided among larger populations. To maximize your personal recovery, you should document any actual losses: credit monitoring fees you paid, identity theft insurance costs, time spent disputing fraudulent accounts or unauthorized medical services, and any out-of-pocket expenses directly tied to the breach. Keep receipts, credit card statements, and correspondence with credit bureaus or creditors as evidence of your damages.
WHAT ARE THE DEADLINES, AND WHAT HAPPENS IF YOU MISS THEM?
The claim submission deadline is January 19, 2026—this is the absolute cutoff for filing your claim. Claims submitted after this date will be rejected, and you will forfeit any settlement compensation. Given that today’s date is May 5, 2026, this deadline has already passed. Patients who did not submit claims before January 19, 2026, are no longer eligible to recover from this settlement fund. The objection and opt-out deadline was December 19, 2025, meaning you had until that date to formally object to the settlement terms or exclude yourself from the class action.
Those deadlines have now also expired. The final fairness hearing is scheduled for April 29, 2026, at 3:30 PM, at which point the court will review the settlement and, barring unforeseen circumstances, approve the distribution of funds to claimants who met the submission deadline. A critical limitation of class action settlements is that once deadlines pass, the settlement process becomes final. Unlike individual lawsuits where you might negotiate further, or class action appeals where members could potentially challenge the settlement, the court-approved fairness hearing marks the end of the litigation process. If you missed the claim deadline, your only recourse would be to file a separate individual lawsuit, which requires hiring your own attorney and proving damages without the benefit of the class action’s already-negotiated settlement fund.
UNDERSTANDING THE SETTLEMENT TERMS AND WHAT YOU SHOULD KNOW ABOUT THE ADMINISTRATORS
The settlement agreement, formally styled as Jane Doe v. Trinity Health Corporation, designates a settlement administrator responsible for processing all claim submissions and distributing payouts to approved claimants. The administrator maintains a dedicated claim website where eligible patients can verify their eligibility, submit claims, and track the status of their applications. The administrator also handles customer service inquiries and disputes regarding claim denial or payout calculations.
One practical reality of settlement claims is that administrators often reject initial submissions due to incomplete documentation, unclear damage descriptions, or receipts that don’t clearly tie to the breach. If your claim was denied or reduced, understand why—the denial notice should explain the specific deficiency. Many claimants have had partial rejections reversed by resubmitting with additional documentation, such as itemized billing statements, insurance explanation-of-benefits forms, or written timelines of fraudulent account activity. However, because the claim deadline has already passed as of May 2026, no new claims can be submitted, and any appeals of denied claims must follow the settlement administrator’s dispute resolution procedures outlined in the claim decision.
WHAT SHOULD TRINITY HEALTH PATIENTS DO NOW?
If you were a Trinity Health patient during the March 2023 breach window and submitted a valid claim before the January 19, 2026 deadline, monitor your settlement claim status and expect payout distribution following the final fairness hearing on April 29, 2026. You should have received a settlement claim decision or status update from the settlement administrator; if not, contact them directly for information on your specific claim.
For patients who missed the deadline or received limited compensation through this settlement, the ongoing Health Gorilla litigation filed in March 2024 may provide an additional avenue for recovery if you were also affected by that incident. Additionally, Trinity Health’s pattern of multiple breaches over several years raises broader questions about whether the health system has genuinely improved its security practices or whether future incidents remain likely. Patients should consider requesting their medical records from Trinity Health and transferring ongoing care to a healthcare provider with a stronger security track record, or explicitly requesting that their future data not be shared through third-party networks like Health Gorilla without additional consent and oversight.
Conclusion
The Trinity Health Ransomware Data Breach Class Action settlement provides $200,000 in compensation to approximately 21,000 patients whose data was compromised during the March 7–April 4, 2023 breach. The settlement process has now reached its final stage, with the claim deadline of January 19, 2026, having passed, and a final fairness hearing scheduled for April 29, 2026. Eligible patients who submitted timely claims should receive their compensation following court approval, though the exact per-person payout depends on the total number of valid claims submitted.
This settlement is one of several addressing Trinity Health’s data security failures, including the larger 2021 Accellion breach affecting 586,000+ patients and the 2024 Health Gorilla incident affecting 300,000 individuals. If you were notified of the March 2023 breach and submitted a claim before the deadline, track your claim status through the settlement administrator’s website. If you missed the deadline, understand that class action settlement deadlines are final and court-enforced, leaving individual litigation as the only remaining legal recourse. Protect yourself further by monitoring your credit, considering identity theft insurance, and evaluating whether to continue receiving healthcare through Trinity Health given the system’s documented security track record.