Epic files lawsuit alleging improper use of health data exchange networks

The electronic health record vendor claims patient records were accessed and monetized without authorization.

What happened

Epic Systems has filed a lawsuit alleging that the health information exchange network Health Gorilla and several associated organizations improperly accessed the medical records of roughly 300,000 patients. According to court filings, Epic claims that participants misrepresented themselves as healthcare providers in order to gain access to nationwide interoperability frameworks and retrieve patient data for non-treatment purposes. The lawsuit names Health Gorilla along with multiple healthcare organizations and related entities, and seeks to stop what Epic describes as systematic misuse of health information exchange access.

Going deeper

The lawsuit focuses on participation in two major interoperability frameworks, Carequality and TEFCA, which together facilitate nearly one billion patient record exchanges each month. Epic alleges that some entities used minimal demographic details to retrieve full patient records, then used those records for financial gain rather than patient care. According to the complaint, certain participants injected non-clinical or duplicative documents into the exchange to create the appearance of treatment activity. Epic argues that technology implementers such as Health Gorilla failed to adequately vet participants, allowing shell entities and affiliated organizations to rotate access after restrictions were imposed. The complaint asserts that this pattern undermines trust in interoperability systems and exposes patient data to misuse.

What was said

In its complaint, Epic Systems said access to nationwide exchange frameworks must be limited to legitimate treatment activity, warning that misuse threatens both patient privacy and provider participation. In the filing, Epic said the alleged conduct “undermines the trust that healthcare providers place in interoperability frameworks and risks discouraging participation in data exchange necessary for patient care.”

Health Gorilla rejected the allegations. In a statement responding to the lawsuit, CEO Bob Watson said Epic’s complaint presents “unfounded and wholly misleading allegations” and stated that Health Gorilla “has long operated in strict conformance with all applicable laws, governance requirements, and industry norms.” Watson said the company “categorically rejects these allegations” and is “fully prepared to defend” its conduct, adding that Health Gorilla “immediately suspended the connections in question and began investigating their use of healthcare data” once concerns were raised.

In the know

Reuters reports that the lawsuit outlines three separate alleged methods used to sell medical records after they were accessed by an entity presenting itself as a legitimate healthcare provider.

In one of those scenarios, the lawsuit claims that Health Gorilla, a California-based company that facilitates access to medical record exchange networks, certified RavillaMed as a healthcare provider seeking records for treatment purposes. The data was then routed through RavillaMed to another company, LlamaLab, which allegedly sells medical records to attorneys searching for clients with specific medical conditions.

The big picture

The lawsuit comes as questions continue to surface about how nationwide health data exchange networks are governed. In reporting by MedCity News, Epic alleges that Health Gorilla accessed patient records through interoperability frameworks such as Carequality and TEFCA under the banner of treatment, but then used that data for other purposes once it left the electronic health record.

Speaking to MedCity News, David Giesting framed the dispute as part of a familiar pattern in health technology. “I think the private sector generally kind of pushes the bar to the next phase,” Giesting said. “Even with AI, there will be innovation, and then regulatory measures will catch up. I think that’s what’s happening here.” He added that the case points to “the importance of having very close coordination between companies in the technology ecosystem, like Epic and Health Gorilla,” particularly as data moves more freely across shared exchange networks.

FAQs

What are Carequality and TEFCA?

They are nationwide frameworks that allow participating healthcare organizations to exchange patient records across different electronic health record systems.

Why does Epic claim patient data was misused?

Epic alleges that some participants accessed records for marketing or litigation support rather than for treatment, without patient or provider consent.

Does participation in these frameworks require compliance obligations?

Yes. Participants agree to comply with HIPAA, state privacy laws, and framework specific rules governing permitted uses and disclosures.

What risks arise if misuse occurs?

Misuse can expose sensitive health information, erode provider trust in exchange systems, and discourage participation, which may limit data availability for care.