In a high-profile federal lawsuit filed in January 2026, electronic health records giant Epic Systems has accused multiple companies of systematically exploiting healthcare interoperability networks to improperly access and monetize the sensitive medical records of nearly 300,000 patients. The case has spotlighted serious weaknesses in how patient data is shared across providers, raising fresh concerns about digital privacy in healthcare.
The lawsuit, filed in the U.S. District Court for the Central District of California (Epic Systems Corp. v. Health Gorilla Inc., No. 2:26-cv-00321), alleges that Health Gorilla — a health information exchange network — and several associated entities allowed companies to pose as legitimate healthcare providers. These entities allegedly accessed patient records under the false pretense of treatment purposes, only to mine and sell the data, including to law firms seeking clients for litigation.
A Landmark Admission
In a significant development, telehealth company GuardDog Telehealth admitted in mid-March 2026 to the allegations as part of a consent judgment with Epic. The company acknowledged accessing patients’ medical records under false pretenses and providing them to law firms. GuardDog was responsible for approximately 6,000 of the records in question. Epic stated the case will continue against the remaining defendants.
Epic and co-plaintiff healthcare providers, including OCHIN, Reid Health, Trinity Health, and UMass Memorial Health, argue that the scheme undermines patient privacy, violates HIPAA, and threatens the integrity of national health information exchange systems designed to improve care coordination.
How the Alleged Scheme Worked
According to the complaint, the defendants exploited interoperability frameworks that allow authorized healthcare providers to securely share patient records. By misrepresenting themselves as treating providers, the companies gained access to Epic’s network and pulled sensitive medical information without patient knowledge or consent. The data was then allegedly monetized — sold or shared with attorneys looking for individuals with specific medical conditions or injuries to recruit for lawsuits.
Epic claims the misconduct affected records from patients across multiple states, including over 6,000 from Wisconsin. The company describes the activity as part of “organized syndicates” turning legitimate data-sharing tools into unauthorized data marketplaces.
Broader Implications for Digital Privacy in Healthcare
This lawsuit highlights ongoing tensions in the U.S. healthcare system. While interoperability initiatives — supported by federal rules like the 21st Century Cures Act — aim to give patients and providers better access to complete medical histories, they have also created new vectors for misuse.
Critics argue that weak verification processes in some health information exchanges make it too easy for bad actors to impersonate providers. At the same time, the case has sparked debate about whether Epic’s dominant market position (its systems hold records for hundreds of millions of patients) makes it harder or easier to secure data flows.
The revelations come amid other legal pressures on Epic. In March 2026, a separate class-action lawsuit filed in Texas accused the company of using its market dominance to fragment patient records in its MyChart patient portal, making it difficult for patients — particularly those with disabilities — to access complete medical histories across providers. Epic has denied those allegations.
Additionally, Texas Attorney General Ken Paxton previously sued Epic, alleging anticompetitive practices and restrictions on parental access to children’s medical records.
Patient Privacy at Stake
Medical records contain some of the most sensitive personal information — diagnoses, treatment histories, mental health notes, genetic data, and more. Unauthorized access or sale of this data can lead to identity theft, discrimination, stigma, or exploitation in legal proceedings.
Epic has positioned the lawsuit as a defense of patient privacy and the trustworthiness of healthcare data systems. “What you put up with is what you stand for,” the company stated in a public post announcing the suit.
Experts say the case could prompt federal regulators to strengthen oversight of health information networks, improve identity verification for data requests, and clarify rules around secondary uses of patient data.
What Happens Next
The case against the remaining defendants continues in California federal court. Outcomes could include injunctions to stop the alleged practices, monetary damages, and policy changes across the industry.
For patients, the lawsuit serves as a reminder of the importance of monitoring who has access to their health information and understanding their rights under HIPAA and state privacy laws. Healthcare providers and technology vendors are likely to face increased scrutiny regarding how they authenticate data access requests and monitor for suspicious activity.
As digital health tools and interoperability expand, balancing seamless data sharing with robust privacy protections remains one of the biggest challenges facing the healthcare sector.
