Electronic health record giant Epic and a group of healthcare providers are suing health information network Health Gorilla and several of its clients over allegations that the companies fraudulently accessed and monetized patient medical records.
In the lawsuit, filed in a California district court, Epic and the providers allege that Health Gorilla and its clients exploited nationwide interoperability frameworks, namely, Carequality and the Trusted Exchange Framework and Common Agreement (TEFCA).
The lawsuit was filed Jan. 12 by Epic, Reid Health, Trinity Health, UMass Memorial Health and OCHIN, a health IT solutions provider and consultancy. Epic and the healthcare providers claim they are taking legal action to defend patient privacy and protect sensitive medical information.
Health Gorilla is a qualified health information network under the federal TEFCA and also is an on-ramp to Carequality. TEFCA and Carequality are both national frameworks responsible for more than a billion patient-record exchanges each month. TEFCA and Carequality are not named in the lawsuit.
In a statement to Fierce Healthcare, Carequality said it is committed to protecting sensitive patient information. All implementers and connections of Carequality are subject to a collection of rigorous legal, governance and technical requirements, and implementers have been responsible for overseeing their connections and ensuring compliance, the organization said.
Carequality's nationwide health data exchange service is used by more than 600,000 care providers, 50,000 clinics and 4,200 hospitals to access patients’ medical records. Carequality says it supports the exchange of 1.2 billion clinical documents each month.
According to the lawsuit, Health Gorilla, as an on-ramp to TEFCA and Carequality, enabled health tech companies Mammoth, RavillaMed, LlamaLab, Unit 387, SelfRx, GuardDog and others to improperly access and monetize nearly 300,000 patient medical records from members of the Epic community. "This is in addition to an unknown number of records taken from organizations nationwide, including from the VA and providers using other EHRs," Epic said in a press release about the lawsuit.
OCHIN, Reid Health, Trinity Health, UMass Memorial Health and Epic said the organizations filed the lawsuit to "stop conduct that threatens patient privacy and the integrity of care."
Epic and the provider organizations allege in the lawsuit that Health Gorilla and some of its clients "operate as organized syndicates to monetize patient records without patients’ knowledge or consent."
Epic claims Health Gorilla and the health tech companies requested patient records for the purpose of treating patients, but took those patient records for other purposes, including to market them to lawyers looking for potential claimants with specific conditions and diagnoses that would qualify them to join mass tort class-action lawsuits.
The lawsuit claims these companies mask their true commercial purpose by using "fictitious websites, shell entities and sham National Provider Identification (NPI) numbers" to create "an illusion of legitimate patient treatment activity."
The companies also cover their tracks by inserting "junk data into patient medical records to give the false impression that they are treating patients, which risks patient safety and wastes valuable clinician time," Epic states in the lawsuit.
Health Gorilla, in a statement issued Jan. 12, said it "vehemently" denies the allegations. The health data network claims, similar to Particle Health's beef with Epic, that the EHR company uses its market power in the health tech industry to control access to medical data.
"This is yet another example of Epic’s exclusionary actions that limit competition and restrict access to healthcare data," the company said in its statement. "These actions reflect broader, ongoing concerns raised by others in the industry and by government actors about monopolistic practices in health information exchange by Epic. Health Gorilla supports efforts to promote competition, patient choice, and fair access to healthcare data."
"Health Gorilla exists to ethically serve the clinical community and aligned healthcare innovators by enabling secure, appropriate access to health information—including for organizations and use cases that Epic does not directly serve," the company said.
The company said it can't comment on specific allegations part of active litigation. "What we can say is this: Health Gorilla denies the allegations, has acted in good faith, and will vigorously defend the claims against Health Gorilla. When Epic raised concerns regarding four entities three months ago, we acted promptly and we have been working constructively with Epic and the relevant network authorities to address those concerns," the company said.
"Epic, OCHIN, Reid, Trinity, and UMass Memorial Health bring this action to put a stop to those who are exploiting health information exchange frameworks to fraudulently access and steal sensitive patient health information for financial gain," the plaintiffs state in the lawsuit. "Masquerading as healthcare providers who are treating patients, these bad actors have accessed and monetized many thousands of patient records. These actors are putting the enormous positive patient outcomes achieved through interoperability at risk."
"If not stopped, they will continue to inappropriately market the patient data they have already taken and will take more through their almost unfettered access to the patient records of millions of patients held in the custody of most providers in America, including provider organizations using Epic’s interoperability software," Epic and the provider organizations wrote in the lawsuit.
Epic and the healthcare providers claim that Health Gorilla and its clients named in the suit are "attempting to turn nationwide interoperability frameworks into data marts where sensitive patient information can be bought and sold without patient consent or their physicians’ knowledge."
The lawsuit continues, “when caught, rather than stopping their activity, the bad entity owners, operators and those in their inner circles simply create new companies. The scheme thus operates like a Hydra: when one fraudulent entity is exposed, the bad actors birth a new one."
Carequality and TEFCA frameworks exist on a trust-based architecture where implementers, like Health Gorilla, vet and onboard participants. "Bad actors who exploit the interoperability frameworks undermine the trust upon which healthcare interoperability is founded and threaten the entire interoperability ecosystem," Epic argues.
Epic and the healthcare providers also argue that the conduct described in the lawsuit threatens the sustainability of the interoperability frameworks. "Some of Epic and OCHIN’s healthcare provider customers have voiced that, because of the abuses, they have contemplated limiting their participation in the Carequality and TEFCA frameworks or withdrawing from them entirely," the company said in the lawsuit.
Epic and the other plaintiffs seek immediate relief for fraud, aiding and abetting fraud, breach of contract and violation of the California Business and Professions Code as well as violation of the Federal Computer Fraud and Abuse Act.
A dispute over healthcare data exchange practices also is at the center of a federal antitrust lawsuit filed by Particle Health against Epic. What began as a dispute between the two health tech companies over healthcare data exchange practices led to a federal lawsuit alleging antitrust violations. Particle Health filed its antitrust lawsuit against Epic in September 2024 alleging that the EHR giant is trying to muscle out competition.
In September, a district judge partially granted and partially denied Epic's motion to dismiss the antitrust claims, allowing Particle Health's legal fight against the company to move forward.
Don Rucker, former national coordinator for health IT and now chief strategy officer at 1upHealth, believes the Epic-Health Gorilla lawsuit is essentially a fight over who controls access to clinical data and how those data are governed once they move outside the provider's EHR. The battle between Epic and Health Gorilla highlights intersecting issues around data privacy and patient consent as well as business interests and market competition, he noted.
"It raises fascinating fundamental issues around TEFCA, privacy and security on the one hand and on the other hand, it raises issues around competition and antitrust," Rucker said in an interview.
The case also highlights the limits of “permitted purpose” data access models, according to Rucker.
"We could fix the problem by just saying, 'HIPAA is actually a good regulation and law on this. If you don't get permission from the patient, the payer or the provider, and you don't have a signed business agreement, then you shouldn't get the data,'" he said.
Rucker asserts that modern, API-driven approaches that enable direct, auditable patient, provider and payer control are increasingly necessary as interoperability scales.
The HIPAA Privacy Rule defines "purpose of use" for protected health information primarily as treatment, payment and healthcare operations, but there are secondary uses for nontreatment purposes like research, quality improvement, public health or marketing. These secondary uses create a grey zone in data exchange practices that, some industry executives argue, opens up the risk for fraudulent use of patients’ health data.
By targeting mass tort in its lawsuit against Health Gorilla, Epic made a "tactical strike," according to Brendan Keeler, an interoperability and data liquidity practice lead at HTD Health.
"Rather than engaging the broader conflict between Treatment definitions and real-world utility, it isolates a single, widely disfavored use case (mass-tort acquisition) and pursues it as an exception that no one feels obligated to defend. If they are right, they have an example of real harm that gives them leverage on a few fronts," Keeler wrote in a LinkedIn post.
Epic's lawsuit could shift the policy conversation in favor of more gatekeeping, auditing or policing for access and use of patients' medical data.
If Epic succeeds in this legal fight, it sets a precedent that could chill "grey-zone activity," Keeler wrote.
"Even if Epic frames this as targeting only the most egregious conduct, a ruling that broadly interprets 'treatment purpose' or that imposes strict liability for downstream misuse could reach further than the facts of this case. The grey-zone telehealth-plus-retrieval workflow might become legally riskier even if it wasn’t directly at issue here," he wrote.