The articles describe a significant 2026 dispute over the misuse of health information exchanged by asserting a treatment purpose through Carequality. (Raths) The core allegation is that companies used health information network, Health Gorilla, under the pretense of treatment-related access, but instead obtained patient records for non-treatment purposes, including sharing them with law firms seeking potential plaintiffs for litigation. Epic and several provider organizations — including OCHIN, Reid Health, Trinity Health, and UMass Memorial Health — sued Health Gorilla and several related entities, alleging improper access to roughly 300,000 patient records from the Epic community, plus an unknown number from other organizations, including the VA and providers using other EHRs.
Epic Systems filed its lawsuit in January of this year. (See Sources for link to filing.) According to Steve Alder, “the lawsuit alleges that certain Health Gorilla clients are turning nationwide interoperability frameworks into data marts, where sensitive patient data can be bought and sold without patients’ or physicians’ knowledge or consent, including patient data stored in Epic’s interoperability framework. The lawsuit alleges that Health Gorilla clients have been abusing access to patient data for financial gain.”
Together, the plaintiffs allege that Health Gorilla and a network of companies set up fictitious healthcare providers, shell websites and fake provider IDs to make it look like medical record requests were legitimately for patient care purposes (or, as it is often coined “continuity of care” requests). (Adams)
These major exchange frameworks support large-scale sharing of health records for treatment and care coordination. Participation in these frameworks depends heavily on trust: organizations must represent that they are requesting records for legitimate purposes and comply with HIPAA and related state and federal requirements. The lawsuit argues that this trust was exploited by entities that allegedly misrepresented who they were and why they wanted access. In Health Gorilla’s case, it appears that Health Gorilla controls the framework to allow who can enter the framework for accessing patient information.
Several companies have been identified as allegedly accessing the patient data for non-treatment purposes including:
At least initially, all the Health Gorilla clients denied any wrongdoing. However, a major development came this month when GuardDog Telehealth, one of the defendants, entered into a stipulated judgment with Epic and the co-plaintiffs. In that filing, GuardDog admitted that although its stated goal had been to provide chronic care management and remote patient monitoring, that “did not happen.” Instead, it acknowledged that its business focused on “requesting, reviewing, and summarizing medical records” and providing those records to law firms. It also admitted that it obtained records through Carequality by asserting a treatment purpose.
Under the proposed judgment, GuardDog would be permanently barred from requesting records through TEFCA or Carequality, required to delete any patient information obtained through those frameworks, and prohibited from any further use or dissemination of that information.
The GuardDog admission is important for two reasons. First, it validates at least part of the plaintiffs’ theory that interoperability channels can be exploited when organizations rely too heavily on representations of treatment purpose. Second, it raises broader governance questions for health information exchange participants, EHR vendors, and provider organizations. The case suggests that technical interoperability alone is not enough. Robust onboarding, verification, monitoring, and response mechanisms are equally important. If one participant can gain access under false pretenses, the damage can extend well beyond privacy.
This is where health information professionals can play a significant role in verifying and monitoring users and access as well as noting trends and helping block misuse and access.
The MedCity News article notes that Epic’s complaint also alleged that “junk” data was inserted into records to make activity appear legitimate, which could waste clinician time and potentially create patient safety risks.
At the same time, the litigation remains contested. It appears from the various published articles on this case that allegedly Health Gorilla did no vetting of entities requesting access to the patient data. However, Health Gorilla has denied wrongdoing and argues that the GuardDog judgment does not establish liability on Health Gorilla’s part. According to Health Gorilla, GuardDog did not tell it about any non-treatment use, and when Health Gorilla and others tried to investigate, GuardDog allegedly failed to cooperate. Health Gorilla has also framed Epic’s broader lawsuit as an “attack on interoperability” that could threaten efficient data exchange and patient safety if it chills appropriate participation in national exchange frameworks. A hearing on Health Gorilla’s motion to dismiss was reported as set for April 23, 2026. (Raths)
Taken together, the articles point to a central tension in modern health information exchange. The healthcare industry wants faster, broader, more seamless data sharing to improve coordination, reduce duplication, and support patient care. But the same infrastructure can be misused if governance controls are weak or if participants misrepresent their role and purpose. The GuardDog admission does not resolve the full case, but it does underscore a key lesson: interoperability without strong trust controls can expose patients, providers, and others that participate in Carequality, TEFCA, or similar exchange frameworks should revisit how they vet participants, validate treatment purpose, monitor access patterns, investigate unusual behavior, and respond when concerns emerge. They should also recognize that information governance is now inseparable from interoperability strategy. The value of nationwide exchange depends not just on connectivity, but on enforceable accountability. HIM can serve in roles to reinforce vetting, validating, monitoring and investigating withing these HIE frameworks.
And what will be impact on the future of HIEs?
When this incident is no longer just in health industry news and hits the national primetime news …
–How many individuals will refuse to allow their medical records to be placed on health information exchanges?
–How will a potential exodus of health information impact the continuity of patient care?
–How many HIM departments will need to staff their departments through the night to fax records to ED departments elsewhere?
–Are your records one of the $300,000?
These are just a few of the questions that we now need to contemplate.
But the real question is where is the Office For Civil Rights? An alleged 300,000 patient records were inappropriately accessed. According to Jack Troy, UPMC reported the incident to the U.S. Department of Health and Human Services. I reviewed the OCR breach list of 500+ cases, but did not see any report by any of the plaintiffs, however, it only reflected cases through February. The other issue is that a health information exchange is not a health plan, healthcare payer, or clearinghouse. Therefore, the HIE is not a covered entity, but it should be a Business Associate. Did the covered entities have a Business Associate Agreement in place with Health Gorilla?
There are many issues that have surfaced from this case and we’re likely to see changes to HIPAA and organization privacy practices going forward.
Stay tuned.
Katie Adam. “Why the Epic-Health Gorilla Case Just Got Juicier.” MedCity News. Accessed March 16, 2026. https://medcitynews.com/2026/03/epic-health-gorilla-lawsuit-data/.
Steve Alder. “Epic Sues Health Information Exchange Network Over Improper Record Access.” HIPAA Journal. Accessed March 17, 2026. https://www.hipaajournal.com/epic-sues-health-information-exchange-network-improper-record-access/.
Heather Landi. “GuardDog Telehealth, Epic Reach Agreement in Ongoing Fraud Lawsuit Over Health Records.” Fierce Healthcare. Accessed March 17, 2026. https://www.fiercehealthcare.com/health-tech/guarddog-telehealth-epic-reach-agreement-ongoing-fraud-lawsuit-over-health-records.
David Raths. “In Stipulated Judgment, GuardDog Telehealth Admits Providing Patient Records to Law Firms.” Healthcare Innovation. Accessed March 17, 2026. https://www.hcinnovationgroup.com/interoperability-hie/trusted-exchange-framework-and-common-agreement-tefca/news/55364033/in-stipulated-judgment-guarddog-telehealth-admits-providing-patient-records-to-law-firms.
Jack Troy. “UPMC warns embattled data exchange Health Gorilla may have improperly pulled patient records.” TribLive. Accessed March 21, 2026. UPMC warns embattled data exchange Health Gorilla may have improperly pulled patient records.
Legal Filing: https://www.epic.com/content/stipulation-re-judgment-and-permanent-injunction.pdf; Epic Systems Corporation; OCHIN, Inc.; Reid Hospital & Health Care Services, Inc. d/b/a Reid Health; Trinity Health Corporation; and UMass Memorial Health Care, Inc., Plaintiffs, v. Health Gorilla, Inc.; RavillaMed PLLC; Avinash Ravilla; Shere Saidon; LlamaLab, Inc.; Unique Medi Tech LLC, d/b/a Mammoth Dx; Mammoth Path Solution, LLC; Mammoth Rx, Inc.; Ryan Hilton; Daniel Baker; Max Toovey; Unit 387 LLC; SelfRx, LLC d/b/a Myself.Health; Critical Care Nurse Consultants, LLC d/b/a GuardDog Telehealth; Hoppr, LLC; Meredith Manak, and DOES 1-100, Defendants. Case No. 2:26-cv-00321-FMO-RAO
Author Disclosure: This article was prepared with the assistance of ChatGPT.
EDITOR’S NOTE: The author of this article used AI-assisted tools in its composition, but all content, analysis, and conclusions were based on the author’s professional
Hotly anticipated performance targets and payment amounts for the Centers for Medicare & Medicaid Services (CMS) Advancing Chronic Care with Effective, Scalable Solutions (ACCESS) Model
Please log in to your account to comment on this article.
Gain clarity and confidence in OB‑GYN coding with this expert‑led webcast featuring Stacey Shillito, CDIP, CPMA, CCS, CCS‑P, CPEDC, COPC. You’ll learn how to apply global maternity package rules accurately, select the right CPT codes for procedures and visits, and identify documentation gaps that lead to denials. With practical guidance and real examples, this session helps you strengthen compliance, reduce audit risk, and ensure accurate reimbursement for women’s health services.
Uncover essential coding insights with nationally recognized coding authority Kay Piper, RHIA, CDIP, CCS. Through ICD10monitor’s interactive, on‑demand webcast series, Kay walks you through the AHA’s 2026 ICD‑10‑CM/PCS Quarterly Coding Clinics, translating each update into practical, easy‑to‑apply guidance designed to sharpen precision, ensure compliance, and strengthen day‑to‑day decision‑making. Available shortly after each official release.
Uncover critical guidance on the ICD-10-CM/PCS code updates. Kay Piper reviews and explains ICD-10-CM/PCS coding guidelines in the AHA’s fourth quarter 2026 ICD-10-CM/PCS Coding Clinic in an easy to access on-demand webcast.
Uncover critical guidance on the ICD-10-CM/PCS code updates. Kay Piper reviews and explains ICD-10-CM/PCS coding guidelines in the AHA’s third quarter 2026 ICD-10-CM/PCS Coding Clinic in an easy to access on-demand webcast.
Federal auditors are intensifying their focus on inpatient psychiatric facilities, using advanced data analytics to spotlight outliers and pursue high‑dollar repayments. In this high‑impact webcast, Michael Calahan, PA, MBA, Compliance Officer and V.P., Hospital & Physician Compliance, breaks down what regulators are really targeting in IPF-PPS admissions, documentation, treatment and discharge planning. Attendees will learn practical steps to tighten processes, avoid common audit triggers and protect reimbursement and reduce the risk of multimillion-dollar repayment demands.
In this timely session, Stacey Shillito, CDIP, CPMA, CCS, CCS-P, CPEDC, COPC, breaks down the complexities of Medical Decision Making (MDM) documentation so providers can confidently capture the true complexity of their care. Attendees will learn practical, efficient strategies to ensure documentation aligns with current E/M guidelines, supports accurate coding, and reduces audit risk, all without adding to charting time.
Join Ronald Hirsch, MD, FACP, CHCQM for The PEPPER Returns – Risk and Opportunity at Your Fingertips, a practical webcast that demystifies the PEPPER and shows you how to turn complex claims data into actionable insights. Dr. Hirsch will explain how to interpret key measures, identify compliance risks, uncover missed revenue opportunities, and understand new updates in the PEPPER, all to help your organization stay ahead of audits and use this powerful data proactively.
Stay ahead of the 2026-2027 audit surge with “Top 10 Audit Targets for 2026-2027 for Hospitals & Physicians: Protect Your Revenue,” a high-impact webcast led by Michael Calahan, PA, MBA. This concise session gives hospitals and physicians clear insight into the most likely federal audit targets, such as E/M services, split/shared and critical care, observation and admissions, device credits, and Two-Midnight Rule changes, and shows how to tighten documentation, coding, and internal processes to reduce denials, recoupments, and penalties. Attendees walk away with practical best practices to protect revenue, strengthen compliance, and better prepare their teams for inevitable audits.
Get 15% OFF on all educational webcasts at ICD10monitor with code JULYFOURTH24 until July 4, 2024—start learning today!
Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →
BLOOM INTO SAVINGS! Get 25% OFF during our spring sale through March 27. Use code SPRING26 at checkout to claim this offer.
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 1 with code CYBER25
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24
