Michigan Medicine breach raises new questions about health data exchange

Michigan Medicine notified about 551 patients on May 1, 2026, after Epic Systems flagged unusual activity involving third-party companies requesting patient records through a health information exchange.

What happened

The Ann Arbor-based health system said the access occurred between October 18, 2023, and November 12, 2025, and may have involved requests that lacked a confirmed treatment-related reason. The information may have included names, contact details, dates of birth, medical record numbers, diagnoses, medications, allergies, test results, treatment information, and health insurance details. Michigan Medicine said Social Security numbers, bank account numbers, credit card numbers, and debit card numbers were not involved.

The incident is tied to Epic’s federal lawsuit against Health Gorilla and other defendants, where Epic alleges that companies used sham provider identities and false treatment purposes to access and monetize patient medical records. Health Gorilla denies Epic’s claims and says it suspended the connections in question while investigating the use of health data. Michigan Medicine said it reviewed the matter, reported it to regulators, and is working with Epic and others to reduce the risk of similar access in the future.

Going deeper

Epic’s complaint frames the incident as more than a routine privacy breach. It alleges a failure in the trust model behind national health information exchange. Epic claims Health Gorilla and related defendants allowed or used entities that appeared to be healthcare providers to request records under a treatment purpose while allegedly using that access for commercial purposes rather than patient care.

The complaint seeks injunctive relief and brings claims including fraud, aiding and abetting fraud, unfair business practices, breach of contract, and violations of the Computer Fraud and Abuse Act. Epic’s core argument is that interoperability depends on honest onboarding, verified treatment purposes, and enforceable network rules; without that, systems built to help clinicians access records quickly can become channels for unauthorized data harvesting.

Patient confidentiality guidance supports the stakes, noting that “Ensuring the security, privacy, and protection of patients' healthcare data is critical.” Paubox’s mid-year 2025 report adds useful risk context: HHS recorded 107 email-related healthcare breaches from January through July, affecting 1,653,512 individuals, showing how exposed healthcare data remains across trusted digital channels.

What was said

The court filing notes, “Epic, OCHIN, Reid, Trinity, and UMass Memorial Health bring this action to put a stop to those who are exploiting health information exchange frameworks to fraudulently access and steal sensitive patient health information for financial gain.”

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

Why it matters

Health information exchange depends on rapid, routine record sharing so clinicians can access a patient’s history, avoid care gaps, and make better treatment decisions. Epic’s complaint argues that this benefit can become a privacy risk when participants are onboarded without enough scrutiny, especially when a request marked as treatment may trigger broad access to patient records without manual review.

The concerns of the lawsuit align with JMIR Publications research on health information exchanges, which found that patients’ willingness to share personal health information depends on conditions such as perceived information security and trust in the recipient. One participant put it simply: “You are willing to share your data as long as you trust the institution.”

FAQs

What is healthcare interoperability?

Healthcare interoperability is the ability of different healthcare systems to exchange patient information. In practice, it lets a hospital, clinic, lab, or provider access relevant medical history from another system when treating a patient.

What is a health information exchange?

A health information exchange is a system or network that allows healthcare organizations to share patient records electronically. The goal is to make care safer and faster by giving providers access to the information they need.

What is Carequality?

Carequality is a national interoperability framework that helps different health data-sharing networks connect with each other. The complaint describes it as a framework that uses common technical standards, confidentiality rules, and a participant directory to support electronic health information exchange.

What is TEFCA?

TEFCA stands for Trusted Exchange Framework and Common Agreement. It is a federal health information exchange framework created to support nationwide sharing of health records between providers, patients, payers, and government agencies.