Epic says 6,000 Wisconsin patient records among those fraudulently sold | Health

Six thousand patient records from people living in Wisconsin are among a trove of medical files Verona-based health tech giant Epic Systems says were fraudulently accessed and sold by a group of health information companies. 

Epic, along with four other health groups, filed a lawsuit Jan. 13 with the U.S. District Court for the Central District of California in which they allege a health information network, Health Gorilla, allowed companies that Epic called “organized syndicates” to access and market nearly 300,000 patient records for those whose medical data is stored by Epic. This is happening without patient knowledge or permission, the lawsuit says.

The 90-page complaint did not identify the affected patients or their specific providers. 

In Madison, for example, patients who receive care at UW Health can access their medical records, schedule appointments, pay for visits and communicate with providers through MyChart, a software created by Epic.

The lawsuit alleges the companies accessed patient medical records and then sold them to lawyers who sifted through the files to identify potential clients. These companies are “exploiting health information exchange frameworks to fraudulently access and steal sensitive patient health information for financial gain,” the lawsuit argues.

“These rings … are attempting to turn nationwide interoperability frameworks into data marts where sensitive patient information can be bought and sold without patient consent or their physicians’ knowledge,” the Jan. 13 complaint reads. 

Got a news tip?

The Cap Times welcomes tips from readers to help us inform our community. Email tips@captimes.com or visit captimes.com/tips for more options.

The court filing alleges the companies: 

“Operate as organized syndicates to monetize patient records without patients’ knowledge or consent.”

“Request patient records for the purpose of treating patients but take patient records for other purposes including to market them to lawyers looking for potential claimants … to join mass tort or class action lawsuits.”

“Obscure their true purpose through fictitious websites, shell entities, and sham National Provider Identification (NPI) numbers … to create an illusion of legitimate patient treatment activity.”

Cover their tracks by inserting junk data into patient medical records “to give the false impression that they are treating patients, which risks patient safety and wastes valuable clinician time.”

In doing so, Epic says these companies are “ruining” the functionality of health care interoperability, the ways data systems work to share and communicate information for complete patient records including lab testing, diagnostic imaging, pharmacy records, provider notes and charting and insurance and payment. 

This system allows a provider in an emergency room or urgent care, for example, to pull up the patient’s medical records even if that doctor has never seen that person before, to better understand treatment and condition histories.

The companies who sued say the breach violates patient trust in confidentiality and the security of private information. 

“At stake are both the protection of medical records that contain some of a person’s most sensitive data, such as genetic, mental wellbeing, and reproductive information, and the ability of physicians to keep their promises to patients that their information will be kept private,” the lawsuit reads.

Epic said it sent a letter to Health Gorilla and another company, Carequality, raising concerns over the actions in October and filed the lawsuit a few months later.

The suit requests that a judge order the companies who accessed the information to “disgorge their ill-gotten gains resulting from their fraudulent misconduct” and pay it back to the patients whose records had been breached. The filing also requests a judge issue immediate injunctions directing Health Gorilla to permanently bar access of these companies from patient data in the future.

In a statement issued Jan. 13, Health Gorilla said it “vehemently denied” Epic’s allegations in the suit. 

“This is yet another example of Epic’s exclusionary actions that limit competition and restrict access to healthcare data,” Health Gorilla said in the statement. “These actions reflect broader, ongoing concerns raised by others in the industry and by government actors about monopolistic practices in health information exchange by Epic.”

A lawsuit was filed by the Texas attorney general against Epic in December alleging “unlawful monopolization of the electronic health records industry.”

Epic is joined in its own lawsuit by plaintiffs OCHIN Inc., Reid Hospital & Health Care Services, Trinity Health Corp. and UMass Memorial Health Care Inc.

The Verona-based tech company would not provide an on-the-record interview to the Cap Times on the lawsuit.

Erin McGroarty is the health and policy reporter for the Cap Times. Erin writes about Madison and Dane County’s health care industry and workforce as well as government policies affecting public health and access to care. Email story ideas and tips to emcgroarty@captimes.com.

Please consider supporting Erin’s work by becoming a Cap Times member or sponsor. Sustaining local journalism in Madison depends on readers like you.