A new lawsuit from Epic\u2014run by Judy Faulkner, above\u2014aims to “defend patient privacy,” per a company press release.<\/p>\n
Getty Images<\/p>\n
Imagine you\u2019ve confided in your doctor about a sensitive medical issue. You haven\u2019t even disclosed the condition to your family. Then, a week later, you get a call from a lawyer who asks to chat about it.<\/p>\n
According to the largest electronic health records system in the country, Epic Systems, scenarios like this may be occurring right now. On Tuesday, the healthcare software giant filed a lawsuit in the Central District of California alleging that \u201cbad actors\u201d have been marauding as medical treatment facilities in order to pull and then misuse at least 295,000 of its patient records. Epic claims those companies were then inappropriately monetizing that patient data\u2014for example, by selling it to lawyers looking for people to join class action lawsuits.<\/p>\n
Epic\u2014which was founded by one of the nation\u2019s most successful female entrepreneurs, CEO Judy Faulkner (worth $7.8 billion, per Forbes estimates)\u2014does not yet have proof that allegedly stolen data was ultimately used to build legal cases. But the lawsuit presents evidence to claim that the defendants have been trying. The cofounder of data aggregator and defendant Hoppr has asserted at a law conference that her firm can \u201crequest and receive all of your clients\u2019 medical records in less than 48 hours for one low flat fee\u201d; defendant LlamaLab, a medical records manager, advertises \u201csame-day medical records retrieval\u201d to law firms, per the suit (and LinkedIn). As has yet another defendant, Nationwide Healthcare Provider Corp, a system that says it \u201cpulls records straight from providers\u2019 EHRs [electronic health records] and sends them to representative firms,\u201d the suit alleges. The speed at which they\u2019re offering these services is a red flag indicating they\u2019re getting data by falsely claiming treatment purposes, Epic\u2019s complaint claims.<\/p>\n
The company allegedly enabling all of these actors is Health Gorilla, a healthcare tech outfit that acts as a gatekeeper through which patient records are exchanged between medical providers. Epic claims that Health Gorilla \u201cknowingly participated in and enabled\u201d the \u201cabuse\u201d of Unit 387 and the other entities, which are its clients.<\/p>\n
\u201cHealth Gorilla denies the allegations, has acted in good faith, and will vigorously defend [itself],\u201d the firm says in a statement. Defendant Avinash Ravilla, owner of chronic care manager RavillaMed, said that \u201cRavillaMed categorically denies Epic\u2019s allegations\u201d; the other defendants did not reply to requests for comment.<\/p>\n
Reid Health, Trinity Health and UMass Memorial Health are co-plaintiffs in Epic\u2019s lawsuit.<\/p>\n
The ability for health providers to share patient data with each other is, on the whole, a good thing. The days when patients needed to manually go through a records department or front-desk worker to share their allergies, diagnoses and lab results between providers are largely gone. Instead, we now have \u201cinteroperability,\u201d whereby doctors\u2019 systems can digitally exchange records with ease.<\/p>\n
\u201cInteroperability is definitely a net positive in the U.S.,\u201d says Dima Goncharov, cofounder and CEO of healthcare data platform Metriport. \u201cThis is what prevents patients who may have cancer, chronic medical conditions, from running around from provider to provider with binders of medical records. And it helps patients get proper treatment.\u201d Judy Faulkner has said that Epic jumpstarted the decades-long interoperability revolution.<\/p>\n
But that ongoing transformation has also led to complex data-sharing systems where the abuse described in Epic\u2019s lawsuit is possible. Instead of just medical providers requesting data, others can ask for it too. <\/p>\n
One such system is Carequality, a nationwide nonprofit ecosystem launched in 2014 that\u2019s become the most common way for health information networks to exchange data. Some 70% of U.S. hospitals currently use it. Carequality is the system through which all of the fraud alleged by Epic occurred. (It is not a party to the lawsuit, but it is referenced throughout.)<\/p>\n
Carequality says it enables over 1.2 billion records to be transmitted per month. But it simply does not have the staff\u2014less than 10 people in total\u2014to monitor all of the record requests it gets and ensure they\u2019re legitimate. Rather than attempting to do its own vetting, then, Carequality has outsourced the task. Instead, intermediaries like Health Gorilla onboard new users, checking that organizations asking for patient records have genuine treatment reasons to do so. Patient data flows through these gatekeepers, not through Carequality. But the incentives are complicated: For a company like Health Gorilla, denying an organization access to Carequality means losing a customer.<\/p>\n
And Carequality is not legally obligated to check those gatekeepers\u2019 work, even if participants flag suspicious behavior. \u201cPeople would be complaining to the executive leadership and be like, \u2018I know this company is querying and they\u2019re not treatment.\u2019 And they\u2019d say, \u2018You can\u2019t prove it.\u2019 They refused to investigate,\u201d said a Carequality member who asked for anonymity to be able to openly criticize the organization. \u201cI wasn\u2019t surprised to see this [lawsuit]. All those [defendant] names I\u2019ve known about. Everybody whispers about it.\u201d<\/p>\n
\u201cCarequality is committed to protecting sensitive patient information,\u201d the organization said in a statement to Forbes, noting the gatekeepers have always been \u201cresponsible for overseeing their connections and ensuring compliance.\u201d<\/p>\n
Given Carequality\u2019s scope, the number of documents impacted by the alleged fraud could be much greater than the nearly 300,000 so far identified. Epic was only able to track records from its customers, meaning that its calculations exclude significant entities like the U.S. Department of Veterans Affairs, which uses its own system and is transitioning to Oracle Health. About 9 million veterans are enrolled in the VA\u2019s health care network.<\/p>\n
There\u2019s reason to expect that patient data misuse does extend beyond what Epic has found. Fewer safeguards exist in this high-speed, interoperability era; exchanged records are not individually checked like they were in the manual days.<\/p>\n
\u201cI talk to at least one group every two weeks that either through ignorance or malice are pushing the boundaries of the network\u2014they\u2019re not pure treatment purposes of use,\u201d says Brendan Keeler, who leads the interoperability practice at HTD Health. \u201cIt\u2019s really, really common.\u201d <\/p>\n
Sometimes non-treatment related uses are legit: Insurers might ask for records to confirm services are necessary before reimbursing. But when the groups asking for data are marketers or lawyers, that\u2019s generally against the rules.<\/p>\n
And patients would likely have no idea. Carequality doesn\u2019t have the infrastructure for them to see who has pulled their records, so they can\u2019t easily learn whether that data has been accessed by malicious third parties. Most patients impacted by the behavior alleged in Epic\u2019s complaint are likely unaware that their data was ever stolen.<\/p>\n
This isn\u2019t the first time Epic has made allegations like these. In 2024, Particle Health\u2014another Carequality gatekeeper\u2014sued Epic, claiming that the company was a monopoly that illegally crushes its competition, including by temporarily blocking its access to Epic\u2019s records through Carequality. Epic responded by accusing Particle of the same type of behavior of which it now says Health Gorilla is guilty: allowing entities to take patient records by falsely claiming they were needed for treatment purposes. (The legal battle with Particle is ongoing; a federal judge dismissed some of Particle\u2019s claims but allowed its case to proceed in September. CEO Jason Prestinario called that a \u201cstep to a bigger victory for better patient care and more patient control of their medical info.\u201d Epic said it \u201clook[ed] forward to the opportunity to present evidence to prevail on the remaining claims.\u201d)<\/p>\n
Epic has been heavily scrutinized for its dominant position in the electronic health records industry. The $5.7 billion (2024 revenue) private company is used by about 42% of U.S. hospitals, according to KLAS Research. Its closest competitor, Oracle Health, trails at about 22.9%.<\/p>\n
Health Gorilla\u2019s response to Tuesday\u2019s lawsuit draws on antitrust criticisms of Epic. \u201cThis is yet another example of Epic\u2019s exclusionary actions that limit competition and restrict access to healthcare data,\u201d the company said in its statement. \u201cThese actions reflect broader, ongoing concerns raised by others in the industry and by government actors about monopolistic practices in health information exchange by Epic.\u201d<\/p>\n
The Epic-Particle legal battle has already had wide-reaching impacts. After Particle filed its lawsuit, a similar U.S. government system designed to eventually replace Carequality implemented rules to make it easier for patients to access their own data and to narrow the definition of \u201ctreatment,\u201d effectively making it more difficult for non-medical providers to acquire patient records.<\/p>\n
If all goes according to Epic\u2019s plan, this new lawsuit could also be influential\u2014perhaps inspiring reforms to Carequality\u2019s vetting system, or structural changes to increase transparency and allow patients to track their data. \u201cIt\u2019s the question of the moment,\u201d says Keeler: \u201cCan it evolve more to make sure that we prevent abuse?\u201d<\/p>\n
Or, if reforms prove tricky at Carequality, they could be targeted at the government\u2019s system, which went live in 2023, called TEFCA (the Trusted Exchange Framework and Common Agreement). \u201cIt\u2019s like a flare gun, a warning sign. That\u2019s how I view it,\u201d says the anonymous Carequality member of Epic\u2019s lawsuit. \u201cI believe the reason they\u2019re setting up these alarms is to get the government to pay more attention to TEFCA, so that it doesn\u2019t fail the way Carequality has.\u201d<\/p>\n
MORE FROM FORBES<\/p>\n
This story was updated at 3:55 p.m. on Thursday to clarify that Epic\u2019s accusations against Particle were part of a formal response to Particle\u2019s complaint, not of a counterclaim.<\/p>\n","protected":false},"excerpt":{"rendered":"A new lawsuit from Epic\u2014run by Judy Faulkner, above\u2014aims to “defend patient privacy,” per a company press release.…\n","protected":false},"author":2,"featured_media":235605,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[13475,139325,31125,139322,134,139324,527,7324,73995,111,139,69,139323,36096,139326],"class_list":{"0":"post-235604","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-healthcare","8":"tag-billionaire","9":"tag-carequality","10":"tag-epic","11":"tag-epic-systems","12":"tag-health","13":"tag-health-gorilla","14":"tag-healthcare","15":"tag-lawsuit","16":"tag-medical-data","17":"tag-new-zealand","18":"tag-newzealand","19":"tag-nz","20":"tag-patient-privacy","21":"tag-steal","22":"tag-tefca"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/posts\/235604","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/comments?post=235604"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/posts\/235604\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/media\/235605"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/media?parent=235604"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/categories?post=235604"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/tags?post=235604"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}