A Bombshell Epic Lawsuit Shows How Your Medical Data Could Be At Risk

A new lawsuit from Epic—run by Judy Faulkner, above—aims to “defend patient privacy,” per a company press release.

Getty Images

Imagine you’ve confided in your doctor about a sensitive medical issue. You haven’t even disclosed the condition to your family. Then, a week later, you get a call from a lawyer who asks to chat about it.

According to the largest electronic health records system in the country, Epic Systems, scenarios like this may be occurring right now. On Tuesday, the healthcare software giant filed a lawsuit in the Central District of California alleging that “bad actors” have been marauding as medical treatment facilities in order to pull and then misuse at least 295,000 of its patient records. Epic claims those companies were then inappropriately monetizing that patient data—for example, by selling it to lawyers looking for people to join class action lawsuits.

Epic—which was founded by one of the nation’s most successful female entrepreneurs, CEO Judy Faulkner (worth $7.8 billion, per Forbes estimates)—does not yet have proof that allegedly stolen data was ultimately used to build legal cases. But the lawsuit presents evidence to claim that the defendants have been trying. The cofounder of data aggregator and defendant Hoppr has asserted at a law conference that her firm can “request and receive all of your clients’ medical records in less than 48 hours for one low flat fee”; defendant LlamaLab, a medical records manager, advertises “same-day medical records retrieval” to law firms, per the suit (and LinkedIn). As has yet another defendant, Nationwide Healthcare Provider Corp, a system that says it “pulls records straight from providers’ EHRs [electronic health records] and sends them to representative firms,” the suit alleges. The speed at which they’re offering these services is a red flag indicating they’re getting data by falsely claiming treatment purposes, Epic’s complaint claims.

The company allegedly enabling all of these actors is Health Gorilla, a healthcare tech outfit that acts as a gatekeeper through which patient records are exchanged between medical providers. Epic claims that Health Gorilla “knowingly participated in and enabled” the “abuse” of Unit 387 and the other entities, which are its clients.

“Health Gorilla denies the allegations, has acted in good faith, and will vigorously defend [itself],” the firm says in a statement. Defendant Avinash Ravilla, owner of chronic care manager RavillaMed, said that “RavillaMed categorically denies Epic’s allegations”; the other defendants did not reply to requests for comment.

Reid Health, Trinity Health and UMass Memorial Health are co-plaintiffs in Epic’s lawsuit.

The ability for health providers to share patient data with each other is, on the whole, a good thing. The days when patients needed to manually go through a records department or front-desk worker to share their allergies, diagnoses and lab results between providers are largely gone. Instead, we now have “interoperability,” whereby doctors’ systems can digitally exchange records with ease.

“Interoperability is definitely a net positive in the U.S.,” says Dima Goncharov, cofounder and CEO of healthcare data platform Metriport. “This is what prevents patients who may have cancer, chronic medical conditions, from running around from provider to provider with binders of medical records. And it helps patients get proper treatment.” Judy Faulkner has said that Epic jumpstarted the decades-long interoperability revolution.

But that ongoing transformation has also led to complex data-sharing systems where the abuse described in Epic’s lawsuit is possible. Instead of just medical providers requesting data, others can ask for it too.

One such system is Carequality, a nationwide nonprofit ecosystem launched in 2014 that’s become the most common way for health information networks to exchange data. Some 70% of U.S. hospitals currently use it. Carequality is the system through which all of the fraud alleged by Epic occurred. (It is not a party to the lawsuit, but it is referenced throughout.)

Carequality says it enables over 1.2 billion records to be transmitted per month. But it simply does not have the staff—less than 10 people in total—to monitor all of the record requests it gets and ensure they’re legitimate. Rather than attempting to do its own vetting, then, Carequality has outsourced the task. Instead, intermediaries like Health Gorilla onboard new users, checking that organizations asking for patient records have genuine treatment reasons to do so. Patient data flows through these gatekeepers, not through Carequality. But the incentives are complicated: For a company like Health Gorilla, denying an organization access to Carequality means losing a customer.

And Carequality is not legally obligated to check those gatekeepers’ work, even if participants flag suspicious behavior. “People would be complaining to the executive leadership and be like, ‘I know this company is querying and they’re not treatment.’ And they’d say, ‘You can’t prove it.’ They refused to investigate,” said a Carequality member who asked for anonymity to be able to openly criticize the organization. “I wasn’t surprised to see this [lawsuit]. All those [defendant] names I’ve known about. Everybody whispers about it.”

“Carequality is committed to protecting sensitive patient information,” the organization said in a statement to Forbes, noting the gatekeepers have always been “responsible for overseeing their connections and ensuring compliance.”

Given Carequality’s scope, the number of documents impacted by the alleged fraud could be much greater than the nearly 300,000 so far identified. Epic was only able to track records from its customers, meaning that its calculations exclude significant entities like the U.S. Department of Veterans Affairs, which uses its own system and is transitioning to Oracle Health. About 9 million veterans are enrolled in the VA’s health care network.

There’s reason to expect that patient data misuse does extend beyond what Epic has found. Fewer safeguards exist in this high-speed, interoperability era; exchanged records are not individually checked like they were in the manual days.

“I talk to at least one group every two weeks that either through ignorance or malice are pushing the boundaries of the network—they’re not pure treatment purposes of use,” says Brendan Keeler, who leads the interoperability practice at HTD Health. “It’s really, really common.”

Sometimes non-treatment related uses are legit: Insurers might ask for records to confirm services are necessary before reimbursing. But when the groups asking for data are marketers or lawyers, that’s generally against the rules.

And patients would likely have no idea. Carequality doesn’t have the infrastructure for them to see who has pulled their records, so they can’t easily learn whether that data has been accessed by malicious third parties. Most patients impacted by the behavior alleged in Epic’s complaint are likely unaware that their data was ever stolen.

This isn’t the first time Epic has made allegations like these. In 2024, Particle Health—another Carequality gatekeeper—sued Epic, claiming that the company was a monopoly that illegally crushes its competition, including by temporarily blocking its access to Epic’s records through Carequality. Epic responded by accusing Particle of the same type of behavior of which it now says Health Gorilla is guilty: allowing entities to take patient records by falsely claiming they were needed for treatment purposes. (The legal battle with Particle is ongoing; a federal judge dismissed some of Particle’s claims but allowed its case to proceed in September. CEO Jason Prestinario called that a “step to a bigger victory for better patient care and more patient control of their medical info.” Epic said it “look[ed] forward to the opportunity to present evidence to prevail on the remaining claims.”)

Epic has been heavily scrutinized for its dominant position in the electronic health records industry. The $5.7 billion (2024 revenue) private company is used by about 42% of U.S. hospitals, according to KLAS Research. Its closest competitor, Oracle Health, trails at about 22.9%.

Health Gorilla’s response to Tuesday’s lawsuit draws on antitrust criticisms of Epic. “This is yet another example of Epic’s exclusionary actions that limit competition and restrict access to healthcare data,” the company said in its statement. “These actions reflect broader, ongoing concerns raised by others in the industry and by government actors about monopolistic practices in health information exchange by Epic.”

The Epic-Particle legal battle has already had wide-reaching impacts. After Particle filed its lawsuit, a similar U.S. government system designed to eventually replace Carequality implemented rules to make it easier for patients to access their own data and to narrow the definition of “treatment,” effectively making it more difficult for non-medical providers to acquire patient records.

If all goes according to Epic’s plan, this new lawsuit could also be influential—perhaps inspiring reforms to Carequality’s vetting system, or structural changes to increase transparency and allow patients to track their data. “It’s the question of the moment,” says Keeler: “Can it evolve more to make sure that we prevent abuse?”

Or, if reforms prove tricky at Carequality, they could be targeted at the government’s system, which went live in 2023, called TEFCA (the Trusted Exchange Framework and Common Agreement). “It’s like a flare gun, a warning sign. That’s how I view it,” says the anonymous Carequality member of Epic’s lawsuit. “I believe the reason they’re setting up these alarms is to get the government to pay more attention to TEFCA, so that it doesn’t fail the way Carequality has.”

MORE FROM FORBES

This story was updated at 3:55 p.m. on Thursday to clarify that Epic’s accusations against Particle were part of a formal response to Particle’s complaint, not of a counterclaim.