Earlier this month, Epic, together with a handful of healthcare providers, filed a federal lawsuit against health data network Health Gorilla aimed at stopping an alleged scheme to exploit and monetize patient medical records without consent.
Ultimately, the dispute reflects unresolved ambiguities in how data interoperability should be governed across the healthcare industry. Experts think the lawsuit is less about stopping one bad actor — and more about the need to define standardized rules and boundaries around healthcare data exchange.
Alleged conspiracy to monetize patient data
The complaint, filed January 13, claimed that Health Gorilla enabled other companies to inappropriately access and monetize nearly 300,000 patient medical records. Health Gorilla has denied the allegations.
The plaintiffs are Epic, Trinity Health, UMass Memorial Health, Reid Health and OCHIN. They allege that Health Gorilla and a network of other companies set up fictitious healthcare providers, shell websites and fake provider IDs to make it look like records requests were for real treatment purposes. Instead, the data was allegedly diverted for non-treatment uses — such as marketing to lawyers seeking potential claimants for lawsuits.
The other companies involved in the network are a cluster of small telehealth, data and shell companies — many allegedly linked to the same founders and operators — that the plaintiffs say were used to pose as legitimate providers.
The complaint also stated that the defendants inserted “junk” information into records to hide their activity and give the appearance of genuine care, which in turn risked patient safety and wasted clinician time.
When one fraudulent entity was exposed, the same actors allegedly created new companies to continue the same conduct, operating “like a Hydra,” according to the lawsuit.
The lawsuit alleged violations of HIPAA, as well as other federal and state privacy protections. It also framed the scheme as threatening both patient privacy and the integrity of interoperable health data sharing systems.
The plaintiffs are seeking injunctive relief to immediately put an end to the alleged misconduct.
Health Gorilla is “fully prepared” to defend its conduct, according to a statement released this week by CEO Bob Watson.
“Epic’s lawsuit not only fails to provide all the facts, but reflects an irresponsible use of litigation as a weapon rather than to advance serious claims. As Epic knows, when Health Gorilla learned of the allegations Epic raises in its complaint, Health Gorilla immediately suspended the connections in question and began investigating their use of healthcare data,” Watson stated.
Although Health Gorilla’s investigation is still ongoing, the connections in question have remained suspended, he added.
Watson also said that “Epic has done the equivalent of shouting ‘fire’ in the middle of a crowded theater” when it comes to interoperability, suggesting that the EHR giant’s claims could unnecessarily alarm the industry and disrupt progress toward legitimate data exchange.
Interoperability vs. governance
The core issue of this legal battle isn’t interoperability — it’s governance, pointed out Jackie Mattingly, senior director of consulting services at healthcare security and compliance firm Clearwater.
“It’s not a case about interoperability failing — it’s the governance that’s lagging behind. Obviously we do need interoperability — because we travel, and we go to different places, and our data needs to be accessible. But the governance hasn’t caught up,” she declared.
Governance weakens once data leaves the EHR, Mattingly noted. While hospitals typically have strong controls within their EHRs, oversight can crumble when data flows to external platforms, analytics tools and third parties. Accountability doesn’t end when data leaves Epic, she said.
She thinks access controls have to get stricter, saying that granting data access can’t be a “set it and forget it” process. Healthcare organizations need purpose-based access controls and continuous reassessment of whether data sharing is still justified, Mattingly stated.
That gap between technical interoperability and accountability is increasingly seen as a systemic flaw in today’s data sharing infrastructure. Another healthcare leader — Tyler Giesting, director of healthcare M&A at West Monroe, — said that the lawsuit exposes shortcomings and ambiguities in TEFCA’s current rules for exchanging clinical data. The Trusted Exchange Framework and Common Agreement (TEFCA) is a federal initiative designed to standardize rules and technical standards for nationwide health data exchange.
The framework is new and still evolving, so it lacks clear, enforceable definitions around who can access data and for what purposes, Giesting noted.
To him, this case highlights the need for stricter, possibly federally-led standards governing nationwide data exchange.
And it’s not the only recent legal battle that has shone light on this issue — in the past two years, courts have also seen lawsuits against data brokers like BetterHelp and Meta over alleged misuse of sensitive health data, as well as disputes involving EHR vendors and interoperability networks over how patient information can be shared.
Providers are concerned about the problem too. Last week, more than 60 health systems — including Stanford Health Care and NYU Langone Health — sent a letter to Mariann Yeager, CEO of The Sequoia Project, a nonprofit that influences the governance of health data sharing networks, demanding better oversight and transparency.
Closing the gaps
In Giestling’s view, the industry would benefit by shifting to a “trust but verify” framework.
“[TEFCA] is a trust-based model. I think the lawsuit is potentially exposing that there may need to be some type of a shift to a ‘trust but verify’ model. Is the person requesting the health information, truly who they say they are? And do they have an authorized reason to receive the clinical record? That is not fully ironed out in the current framework,” he stated.
TEFCA also has gray areas around third-party data use, Giestling added. The framework doesn’t clearly address scenarios where data is requested for purposes outside direct patient care — so Health Gorilla could argue it followed existing rules and TEFCA guidance as a designated qualified health information network.
The lawsuit could make healthcare organizations more cautious about sharing data, Giestling predicted. He thinks some companies may limit participation in TEFCA or data exchange to avoid privacy or legal risks.
He noted that this could slow progress on industry-wide interoperability until clearer federal guidance emerges — echoing the concerns raised by Watson, Health Gorilla’s CEO.
Despite this near-term friction, interoperability is too central to healthcare — in terms of cost control, data-driven care improvements and clinical research innovation — to disappear, Giestline said.
He noted that the case underscores a broader pattern: private-sector innovation moves faster than regulation — especially in the healthcare world.
“I think the private sector generally kind of pushes the bar to the next phase. Even with AI, there will be innovation, and then regulatory measures will catch up. I think that’s what’s happening here, and it just points out the importance of having very close coordination between companies in the technology ecosystem, like Epic and Health Gorilla,” Giestling remarked.
Boosting oversight to protect trust
In order to improve data sharing across the sector, interoperability frameworks must actively enforce rules, not just move data, according to Jason Prestinario, CEO of data platform Particle Health.
He argued that frameworks like TEFCA and Carequality can’t be “passive pipes,” saying they need better oversight, compliance monitoring and enforcement. When they fail to do this, trust breaks down, he stated.
Particle Health is dealing with an Epic lawsuit of its own, though in this case Epic is the defendant and not the plaintiff. In September 2024, Particle Health sued Epic over claims that the EHR vendor is using its dominance in the market to prevent competition in the payer platform space. The complaint claims that Epic imposed technical and contractual barriers that limited access to patient data, which has effectively blocked rivals from building competing payer-facing platforms. Last September, a federal judge advanced the antitrust lawsuit.
Even though Particle and Epic aren’t on the friendliest terms right now, Prestinario still believes that Epic is raising legitimate concerns about suspicious activity and the need for stronger protections in health data exchange.
He noted that Epic’s complaint said that it had raised concerns to Health Gorilla and other network participants about suspicious data access and potential misuse of patient records several months before filing the lawsuit.
“Under the assumption that that timeline is accurate, that’s unacceptable. It puts every single implementer out there, including Particle, in a difficult position,” Prestinario declared.
In other words, if what Epic is alleging is true, then this lack of transparency and inadequate data control poses a systemic risk to interoperability and competition in the health data ecosystem.
Epic allegedly had no visibility into what was investigated or how. He warned that this lack of transparency can erode trust and restrict legitimate data access.
In his view, scandals like this have two damaging effects: they often lead to reduced participation in nationwide health data exchange, as well as tighter restrictions on necessary data access under the guise of security.
“Every scandal becomes a reason to restrict access, and I worry that this sets up a dynamic where Epic eventually says, ‘We’re out of these frameworks entirely.’ The answer to all of this is not less interoperability. It’s not for us to move away from the democratization of legitimate data access. It’s better enforcement of the rules on all sides,” Prestinario remarked.
He said he hopes the industry can tighten safeguards while keeping data accessible.
Photo: Aitor Diago, Getty Images
