Donate
Search wpr.org
, ,

Epic, health care providers sue over alleged misuse of patient records

Complaint: The companies improperly accessed and monetized nearly 300K patient medical records from Epic

By
A garden with a brick path, lush plants, a large tree, and a metal stick-figure sculpture, leading to a brick building entrance in the background.
The main entrance to Epic Systems on Thursday, Aug. 28, 2025, in Verona, Wis. Angela Major/WPR

Verona-based Epic Systems has joined a group of health care providers in a lawsuit accusing a Silicon Valley-based network of companies of fraudulently accessing sensitive patient medical records.

The complaint, filed Jan. 13 in the U.S. District Court for the Central District of California, alleges the defendants exploited two national data exchange networks that allow health care providers to exchange patient records for legitimate treatment purposes. 

The companies improperly accessed and monetized nearly 300,000 patient medical records from Epic users, according to Epic. 

News with a little more humanity

WPR’s “Wisconsin Today” newsletter keeps you connected to the state you love without feeling overwhelmed. No paywall. No agenda. No corporate filter.

This field is for validation purposes and should be left unchanged.

The complaint alleges the defendants posed as medical providers to gain access to records, then used the data for non-treatment purposes without patient consent or authorization.

Health Gorilla, a health data exchange company and designated Qualified Health Information Network, is named as a central defendant. 

Other defendants include RavillaMed, LlamaLab and SelfRx. 

The defendants could not immediately be reached for comment.

Oregon-based OCHIN, Indiana-based Reid Health, Michigan-based Trinity Health, and UMass Memorial Health are also plaintiffs in the lawsuit.

According to the filing, the defendants allegedly:

  • “Operate as organized syndicates to monetize patient records without patients’ knowledge or consent.”
  •  “Request patient records for the purpose of treating patients but take patient records for other purposes including to market them to lawyers looking for potential claimants … to join mass tort or class action lawsuits.”
  •  “Obscure their true purpose through fictitious websites, shell entities, and sham National Provider Identification (NPI) numbers … to create an illusion of legitimate patient treatment activity.”
  •  “Cover their tracks by inserting junk data into patient medical records “to give the false impression that they are treating patients, which risks patient safety and wastes valuable clinician time.”

The plaintiffs are asking a court for an injunction that would immediately halt the alleged conduct, arguing it threatens patient privacy and undermines trust in nationwide health care interoperability systems.

Epic develops a variety of software tools for the health care industry, including Care Everywhere, a data sharing tool that enables the exchange of over 20 million patient records daily.

“Defendants in this case are precisely the sort of malefactors that plague the interoperability system, viewing patient records as a liquid commodity to exploit and thereby reducing patients’ ability to control their own health information,” the lawsuit states. 

Wisconsin Public Radio, © Copyright 2026, Board of Regents of the University of Wisconsin System and Wisconsin Educational Communications Board.

Related Stories