Epic Sues Health Information Exchange Network Alleging Improper Record Access
Epic Systems, the market-leading electronic medical record system provider, has filed a lawsuit against the health information network Health Gorilla and several of its clients, alleging improper access to the records of 300,000 patients.
The lawsuit, which also names OCHIN Inc, Reid Hospital & Health Care Services Inc. (Reid Health), Trinity Health Corporation, and UMass Memorial Health Care Inc., as plaintiffs, alleges bad actors have fraudulently obtained access to patient data and are abusing access for financial gain. The lawsuit seeks to put an end to the exploitation of health information exchange frameworks for obtaining and monetizing patient data.
The lawsuit alleges that certain Health Gorilla clients are turning nationwide interoperability frameworks into data marts, where sensitive patient data can be bought and sold without patients’ or physicians’ knowledge or consent, including patient data stored in Epic’s interoperability framework.
Two national frameworks – Carequality and TEFCA – are responsible for almost one billion patient-record exchanges each month. Any provider that participates in either framework makes patient data available to other participants. As a condition of participation, they agree to comply with federal laws such as HIPAA and state regulations regarding uses and disclosures of patient data.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The defendant Health Gorilla and similar implementers of the frameworks control who can enter the frameworks, and in so doing, who can gain unfettered access to patient data. As such, the plaintiffs state that there is an important obligation to ensure that prior to joining the framework, the entity requesting access requires that access for the legitimate purpose of providing treatment to patients. The lawsuit alleges that some participants are masquerading as healthcare providers who provide treatment to patients but seek access to monetize patient records.
Once authorized to participate in the framework, access to real-time patient data is obtained, only requiring basic demographic information such as a patient’s name and address to view that individual’s records. The lawsuit alleges that Health Gorilla clients have been abusing access to patient data for financial gain. For instance, to obtain patient data to market to lawyers to help them find patients with specific conditions and diagnoses to join mass tort class action lawsuits.
The plaintiffs claim that bad actors take many actions to conceal the true purpose for access, such as maintaining fictitious websites, creating shell entities, and using sham National Provider Identification numbers in the National Plan and Provider Enumeration System to create an illusion of legitimate patient treatment activity. In some cases, the lawsuit claims they have injected clinically useless documents into the frameworks to give a false impression that they are treating patients, potentially putting patient safety at risk or, at the very least, wasting clinicians’ time.
Epic alleged that RavillaMed, a chronic condition management firm, has shared far fewer records with other providers than it retrieved, and the data the firm shared with Epic showed no evidence of any treatment of patients by a clinician, indicating records were accessed for purposes other than treatment. Epic claims that the added information incorporated previous diagnoses that are frequently involved in litigation, and other returned documents lacked any clinical value and are “clinical camouflage.” Epic alleges that RavillaMed and other Health Gorilla clients named in the lawsuit “operate as organized syndicates to monetize patient records without patients’ knowledge or consent.”
Epic claims that when companies are discovered to have become participants in the health information exchange under false pretenses, they simply create new companies to continue their activities. For instance, when concerns were raised about Critical Care Nurse Consulting’s access to patient records over its affiliation with law firms, it ceased accessing patient records through Carequality, then a related organization, SelfRx, that had previously been onboarded by Health Gorilla, started taking large volumes of patient records.
According to the lawsuit, when Integritort, a former Particle Health client, was banned from Carequality in October 2024, the former CEO of the company co-founded Mammoth, which started accessing patient records through Health Gorilla, and as was the case with RavillaMed, returned documents with no clinical value.
The lawsuit claims that bad actors rely on technology implementers such as Health Gorilla, conducting little to no vetting of participants to gain access to patient data for financial gain, and that the company is knowingly enabling the abuse of patient data. Health Gorilla and the named clients deny all of Epic’s allegations, and Health Gorilla alleges that Epic is attempting to limit the exchange of health information. “These actions reflect broader, ongoing concerns raised by others in the industry and by government actors about monopolistic practices in health information exchange by Epic,” explained a spokesperson for Health Gorilla. “Health Gorilla supports efforts to promote competition, patient choice, and fair access to healthcare data.”
Epic claims that if healthcare providers participating in interoperability frameworks cannot trust a request for patient records is made for the purpose of treatment, they may feel compelled to leave the framework, while other healthcare providers that have yet to join may be dissuaded from doing so.
“Bad actors like [the] Defendants have falsely framed Epic and providers’ efforts to safeguard patients’ private medical information as information blocking that is harmful to patients and as unlawful obstruction,” countered Epic. “This intimidation campaign is designed to chill scrutiny and preserve the unscrupulous actors’ access to patient records so they can monetize them, including by selling them to mass tort law firms.”
The lawsuit alleges fraud, aiding and abetting fraud, breach of contract, and violations of the Federal Computer Fraud and Abuse Act and seeks to put an end to the exploitation of interoperability frameworks. In addition to Health Gorilla, the lawsuit names RavillaMedPLLC; Avinash Ravilla; Shere Saidon; LlamaLab, Inc.; Unique Medi TechLLC (Mammoth Dx); MammothPath Solution, LLC; Mammoth Rx, Inc.; Ryan Hilton; Daniel Baker; MaxToovey; Unit 387 LLC; SelfRx, LLC (Myself.Health); Critical CareNurse Consultants, LLC (GuardDog Telehealth); Hoppr, LLC; Meredith Manak, and DOES 1-100 as defendants.
“We vehemently deny the allegations against Health Gorilla by Epic. This is yet another example of Epic’s exclusionary actions that limit competition and restrict access to healthcare data,” explained Health Gorilla in a statement provided to The HIPAA Journal. “These actions reflect broader, ongoing concerns raised by others in the industry and by government actors about monopolistic practices in health information exchange by Epic. Health Gorilla supports efforts to promote competition, patient choice, and fair access to healthcare data.”
“LlamaLab denies the allegations in the complaint and categorically disputes any suggestion that the company misused patient information or otherwise participated in any improper conduct. These claims are simply false. We have never sold patient data, and we never will. We intend to defend ourselves vigorously and look forward to contesting Epic’s allegations through the legal process,” said Shere Saidon, Founder & CEO, LlamaLab, in a statement provided to The HIPAA Journal.
Epic Systems is currently facing an antitrust lawsuit, brought by Particple Health, that alleges it is using its market dominance to illegally block access to health records, and more recently, Texas Attorney General Ken Paxton filed a lawsuit against Epic alleging unfair, deceptive, and anticompetitive business practices, including restricting parental access to children’s medical records, undermining health technology competition in the state.
Further, “Health Gorilla exists to ethically serve the clinical community and aligned healthcare innovators by enabling secure, appropriate access to health information—including for organizations and use cases that Epic does not directly serve. Because this is active litigation, we can’t comment on specific allegations. What we can say is this: Health Gorilla denies the allegations, has acted in good faith, and will vigorously defend the claims against Health Gorilla.” Health Gorilla explained that when Epic raised concerns about four entities three months ago, prompt action was taken, and the company has been working constructively with Epic Systems and the relevant network authorities to address the concerns.
Update: March 18, 2026: One of the defendants in the lawsuit, GuardDog Telehealth, has admitted to improper access to patient records and has agreed to be barred from participation in HIEs and will delete the data obtained from the HIEs. The company obtained the data under the guise of treatment, but provided patient data to law firms to help them find plaintiffs for class action lawsuits.
