Epic Sues Health Gorilla and its Clients Alleging Improper Record Access
Epic Systems Files Federal Lawsuit Alleging Improper Patient Record Access Through Health Information Exchange Network
Electronic medical record system provider, Epic Systems Corporation, and multiple healthcare providers have initiated a federal lawsuit alleging that Health Gorilla and affiliated entities improperly accessed and monetized protected health information from national health information exchange frameworks.
Lawsuit Allegations
The complaint asserts that certain Health Gorilla clients gained access to approximately 300,000 individuals’ patient records without authorization for purposes other than treatment and disclosure to treating providers.
The plaintiffs, OCHIN Inc, Trinity Health Corporation, Reid Hospital & Health Care Services Inc. (Reid Health), and UMass Memorial Health Care Inc., allege that interstate interoperability frameworks, including Carequality and the Trusted Exchange Framework and Common Agreement, were exploited to turn exchanged patient records into commercial data marts.
The lawsuit states that some participants in the exchange falsely represented themselves as legitimate healthcare providers to secure access to sensitive records. Legitimate participants should agree to comply with state and federal laws including HIPAA concerning uses and disclosures of patient information.
The complaint claims that patient records can be obtained by participants authorized by Health Gorilla using minimal demographic information such as names and addresses, without demonstrable clinical treatment activity. Some bad actors market the obtained data for use in identifying individuals for mass tort litigation. Epic alleges that some Health Gorilla clients work as organized syndicates monetizing patient data without the knowledge or permission of patients.
Health Gorilla and several named defendants, deny the allegations and characterize Epic’s claims as attempts to restrict competition and limit access to healthcare data. The named defendants in the lawsuit include RavillaMedPLLC; Shere Saidon; Avinash Ravilla; LlamaLab, Inc.; MammothPath Solution, LLC; Mammoth Rx, Inc.; Unique Medi TechLLC (Mammoth Dx); Ryan Hilton; Daniel Baker; Unit 387 LLC; MaxToovey; SelfRx, LLC (Myself.Health); Hoppr, LLC; Critical CareNurse Consultants, LLC (GuardDog Telehealth); Meredith Manak, and DOES 1-100.
Health Gorilla claims that it is ethically serving the clinical community and aligned healthcare leaders by permitting secure, appropriate access to health data. It is also serving organizations and use cases that Epic doesn’t specifically serve. Since Epic brought up concerns regarding four entities three months ago, Health Gorilla took immediate action, and is working with the company and the related network authorities to deal with the issues.
Legal Claims and Requested Relief
The lawsuit asserts claims including fraud, aiding and abetting fraud, and violations of the Federal Computer Fraud and Abuse Act. Plaintiffs seek injunctive relief, an order to bar the defendants from accessing national exchange frameworks and to require the return or destruction of improperly accessed records.
Industry and Regulatory Context
The complaint expressly references compliance obligations tied to federal statutes governing protected health information, including requirements applicable to entities participating in health information exchange networks.