GuardDog Telehealth, a defendant in Epic's high-profile lawsuit over the alleged misuse of patient data, admitted it accessed patients' medical records under false pretenses to feed the information to law firms.
The telehealth company made the concession as part of a consent agreement it entered into with Epic and the co-plaintiffs in the lawsuit in order to exit the case.
In the legal filing (links to PDF), GuardDog admitted that "since it began operating as a company in 2024, its goal was to provide chronic care management and remote patient monitoring for patients, but that did not happen." Instead, GuardDog's business "focused on requesting, reviewing and summarizing medical records, and providing those medical records to law firms," and that it gained access to those medical records through the Carequality Framework "by asserting a treatment purpose for those records."
Electronic health record giant Epic and a group of healthcare providers filed a lawsuit in January against Health Gorilla and several of its clients, alleging that the companies fraudulently accessed and monetized patient medical records.
In the lawsuit, filed in a California district court, Epic and the providers allege that Health Gorilla and its clients exploited nationwide interoperability frameworks, namely, Carequality and the Trusted Exchange Framework and Common Agreement (TEFCA).
The lawsuit was filed Jan. 12 by Epic, Reid Health, Trinity Health, UMass Memorial Health and OCHIN, a health IT solutions provider and consultancy. Epic and the healthcare providers claim they are taking legal action to defend patient privacy and protect sensitive medical information.
Epic and the other plaintiffs seek immediate relief for fraud, aiding and abetting fraud, breach of contract and violation of the California Business and Professions Code, as well as violation of the Federal Computer Fraud and Abuse Act.
In the consent judgment filed Friday, GuardDog conceded that some of the records it accessed on behalf of law firms may have been medical records of patients of OCHIN’s and Epic’s healthcare provider customers, including plaintiffs Reid Health, Trinity Health Corporation and UMass Memorial Health Care, Inc.
And the telehealth company said it believed that health information network Health Gorilla was aware of GuardDog’s business activities to provide those medical records to law firms. The company also said it believed, "based on conversations with and representations made by Meredith Manak of Unit 387 and representatives of Health Gorilla," that it was permissible for GuardDog to request medical records through the Carequality Framework using a treatment purpose and then share those records with law firms.
It also admitted its predecessor entity, called Critical Care Nurse Consulting, had been doing the same thing since 2022.
According to the lawsuit filed by Epic and the providers, Health Gorilla, as an on-ramp to TEFCA and Carequality, enabled health tech companies Mammoth, RavillaMed, LlamaLab, Unit 387, SelfRx, GuardDog and others to improperly access and monetize nearly 300,000 patient medical records from members of the Epic community. "This is in addition to an unknown number of records taken from organizations nationwide, including from the VA and providers using other EHRs," Epic said in a press release about the lawsuit.
Epic claims Health Gorilla and the health tech companies requested patient records for the purpose of treating patients, but took those patient records for other purposes, including to market them to lawyers looking for potential claimants with specific conditions and diagnoses that would qualify them to join mass tort class-action lawsuits.
The new filing represents an agreement between GuardDog Telehealth and Epic as a stipulated judgment and permanent injunction. If the judge overseeing the lawsuit approves the judgment, GuardDog Telehealth is permanently barred from requesting records using TEFCA or the Carequality interoperability frameworks. The company also will be required to delete any patient health information or records obtained from the frameworks and it will be barred from "any further use or dissemination of any patient health information or records" it obtained.
In a statement, an attorney for GuardDog told Reuters that the company "has always maintained that it acted in good faith, with the goal of supporting patient care to the best of its abilities, whether its patients were involved with the justice system or not.”
Epic, in a statement, said the case continues against Health Gorilla and the remaining defendants.
Health Gorilla argued that the consent judgment "has no legal impact" on the company, stating further that the judgment "is incomplete at best and misleading at best."
"GuardDog does not state it ever informed Health Gorilla of any non-treatment use of patient information, and we are prepared to demonstrate it did not. In addition, when Health Gorilla sought to investigate GuardDog along with the interoperability networks and several major health providers, GuardDog failed to respond and refused to cooperate," the company said in its statement (link to PDF).
Health Gorilla contends that Epic's lawsuit represents "an attack on interoperability that threatens patient safety and efficient healthcare nationwide, made worse by misleading submissions like its agreement with GuardDog."
"Health Gorilla continues to fully comply with all applicable data-sharing frameworks, and we remain confident as we address these claims through the legal processes," the company said.
After the lawsuit was filed in January, Health Gorilla said it "vehemently" denied the allegations. And, the health data network claimed that the lawsuit was "yet another example of Epic’s exclusionary actions that limit competition and restrict access to healthcare data."
In another development, the day the stipulated agreement between GuardDog Telehealth and Epic was filed with the court, UPMC issued a notice that patient records may have been "improperly accessed" by a "national network used to exchange medical information."
"A network named 'Health Gorilla' electronically requested information under the pretext of providing treatment to shared UPMC patients and claimed it had permission to do so. The national network enables health providers to exchange information for the treatment of their patients. UPMC is required to participate in this national network," the health system said in the online statement.
UPMC said Epic, its electronic health record vendor, notified the health system about the allegedly improper access to patient medical records.
The information accessed did not include social security numbers, but could have included name, age, diagnosis and medical history information, UPMC said.
The health system reported this incident to the U.S. Department of Health and Human Services Office for Civil Rights.