Telehealth company admits to misusing data

GuardDog has admitted to providing medical records to legal firms.

What happened

Telehealthcare company GuardDog recently made the admission as part of a consent judgement it entered into with Epic Systems. Epic, a healthcare software provider, filed a lawsuit against multiple telehealth companies, alleging that providers, including GuardDog, were improperly accessing medical records and then selling the data. The data includes patient names, diagnoses, lab testing, medications, and more. GuardDog made the admission to help exit the lawsuit, which was filed in January.

Going deeper

Epic’s lawsuit alleges that GuardDog, among others, was claiming to use the data for healthcare purposes, but was actually selling the data to law firms for potential use in litigation. Allegedly, the information was sold to personal injury attorneys without patient consent or knowledge. According to the stipulated judgement, GuardDog began operating in 2024 to provide chronic care management and remote patient monitoring “but that did not happen.” The stipulation further stated, “For the duration of [GuardDog’s] existence, its business instead focused on requesting, reviewing, and summarizing medical records, and providing those medical records to law firms.” Epic first noticed in 2022 that several law firms seemed to have access to valuable and confidential medical records.

In the know

According to Reuters, if GuardDog’s admission successfully allows them to exit the lawsuit, the provider would not be required to pay any damages, but would be permanently barred from accessing medical records exchange networks. GuardDog would also have to delete any medical records in its possession. In a statement, GuardDog’s attorney said the company “has always maintained that it acted in good faith, with the goal of supporting patient care to the best of its abilities, whether its patients were involved with the justice system or not.”

The big picture

GuardDog was not the only company named in Epic’s lawsuit. Epic has alleged that there were multiple other schemes that led to more than 300,000 records being improperly accessed and mined for data, with 6,000 records coming from GuardDog. Epic further alleges that Health Gorilla, a health information network, enabled various companies to misuse data. Health Gorilla released a statement denying any knowledge of GuardDog’s wrongdoing.

The case sheds light on how valuable patient records can be for law firms. While champions of cybersecurity often focus on preventing data from landing on the dark web, schemes like these show that the data is valuable to a range of audiences. The incident also shows how many companies may have access to data, often for the purpose of providing better care. Yet with increased interoperability, there’s also increased risk. One Paubox report reminds us that with every third-party that has access to data, it introduces an “invisible risk” of the data being mistakenly or purposefully misused.

The lawsuits against Health Gorilla and the other companies allegedly involved will continue in the state of California.

FAQs

What other companies were named in the lawsuit?

Epic System’s lawsuit is also against Health Gorilla, which currently denies wrongdoing, and many other healthcare services, including RavillaMed, LlamaLab, Mammoth Path Solution, and others. The full list is available in the stipulated judgement.

Why would GuardDog be motivated to sell data?

While it’s unclear why GuardDog would sell data, they were likely financially motivated. According to court documents, one of GuardDog’s top leaders, Keli Heskett, is also the co-founder of Mass Tort Medical Consultants, which provides legal consultation for medical malpractice and personal injuries, showing GuardDog may have had a direct interest in sharing data.