TL;DR:
- Nearly 300,000 patient records were allegedly accessed by fake healthcare providers through national health data exchanges
- The records were sold to law firms hunting potential plaintiffs for class action lawsuits
- Defendants allegedly created shell websites, fictitious provider IDs, and fake healthcare organizations to appear legitimate
- "Junk" data was inserted into records to hide the unauthorized activity and give the appearance of real care
- Epic, Trinity Health, UMass Memorial, Reid Health, and OCHIN filed the federal lawsuit on January 13, 2026
How It Worked
Your doctor's promise to keep your records private depends on a system built on trust. Health data exchanges like Carequality and TEFCA let providers share records for treatment purposes. The idea is simple: if you show up at an ER across the country, doctors should be able to see your medical history.
According to the lawsuit filed January 13, 2026, someone found a profitable exploit.
Health Gorilla and associated companies (MammothRx, RavillaMed, and LlamaLab) allegedly created fake healthcare providers. They built shell websites. They generated fictitious provider IDs. To anyone checking, the requests looked like legitimate treatment inquiries.
They weren't. The records were allegedly diverted to non-treatment uses: marketing the data to law firms assembling class action lawsuits. If you had a specific condition, a specific medication, or a specific treatment, lawyers wanted to know.
The complaint says defendants inserted "junk" information into patient records. The fake data made the access look like real care: appointment notes, follow-up entries, the administrative detritus of legitimate healthcare. It was camouflage.
The Numbers
Nearly 300,000 patient records. That's what the lawsuit claims was improperly accessed.
In Wisconsin alone, Epic says 6,000 patient records were among those "fraudulently sold." Multiply that across the country.
These aren't credit card numbers. This is genetic information. Mental health treatment. Reproductive care. The lawsuit specifically calls out "some of a person's most sensitive data": information patients shared with doctors under promises of confidentiality.
Who's Suing
This isn't just Epic. The lawsuit includes:
- Trinity Health: One of the largest nonprofit health systems in the country
- UMass Memorial Health: Central Massachusetts's largest health system
- Reid Health: Indiana and Ohio regional provider
- OCHIN: Health IT organization serving safety-net providers
The federal lawsuit was filed in the U.S. District Court for the Central District of California.
The plaintiffs are asking for a lot: bar the defendants from accessing national health data exchanges, require the return or destruction of improperly obtained records, and prohibit further use of the data. They want a jury trial.
Health Gorilla's Response
Health Gorilla isn't backing down. They call the lawsuit "yet another example of Epic's exclusionary actions that limit competition and restrict access to healthcare data."
The company says it "supports efforts to promote competition, patient choice, and fair access to healthcare data."
This isn't Health Gorilla's first fight with Epic. There's a larger industry battle over who controls health data exchange infrastructure. Epic has faced accusations of monopolistic behavior from competitors and state attorneys general. Texas AG Ken Paxton sued Epic in December 2025, arguing the company "wields monopolistic control over the medical records market."
That context matters. But it doesn't explain away the specific allegations: fake providers, fictitious IDs, shell websites, junk data inserted into records.
What This Means
Health data interoperability was supposed to help you. If you collapse in another state, doctors can pull your records. That's the pitch.
The lawsuit shows the flip side: build a trusted network, and someone will find a way to abuse that trust. The systems that let legitimate providers access your records can be gamed by anyone who looks legitimate enough.
For patients, there's no practical defense. You can't opt out of health data exchanges without opting out of modern healthcare. Your records exist in these systems because your doctors need them there.
The fix has to come from the networks themselves. Carequality and TEFCA need to verify that the entities requesting records are actually providing care, not building marketing lists for law firms.
Whether they'll implement stronger verification after this lawsuit is an open question. What's clear is that the current system let fake providers request real records at scale, and nobody caught it until the data was already gone.
Sources
- STAT News: Epic says nearly 300,000 patient records were accessed illegally, in a new lawsuit
- MedCity News: Epic & Providers Sue Health Gorilla Over Alleged Data Exploitation
- Healthcare IT News: Epic and health systems sue Health Gorilla and data companies
- Capital Times: Epic says 6,000 Wisconsin patient records among those fraudulently sold
- Epic Systems: Healthcare Providers and Epic Act to Safeguard Patients' Health Information
Published: January 25, 2026