Your Medical Privacy Could Be At Risk, A New Lawsuit Shows

Your Medical Privacy at Risk: An Examination of the Epic Systems Lawsuit

Key Concepts:

• Electronic Health Records (EHRs): Digital versions of a patient’s paper chart, containing medical history, diagnoses, medications, treatment plans, immunization dates, allergies, and more.
• Interoperability: The ability of different information systems and software to exchange and use information. In healthcare, this refers to the seamless exchange of patient data between providers.
• Carequality: A nationwide nonprofit network facilitating the exchange of health information, used by approximately 70% of US hospitals.
• Health Gorilla: A healthcare technology firm acting as a gatekeeper for patient record exchange.
• TEFCA (Trusted Exchange Framework and Common Agreement): A newer, government-backed system designed to improve data sharing and interoperability.
• Monetization of Data: The process of converting patient data into economic value, often through sale or analysis.

I. The Allegations: Data Breach and Misuse

Epic Systems, the largest electronic health records company in the US, has filed a lawsuit alleging “bad actors” have stolen and misused at least 295,000 patient records. The lawsuit claims these records are being inappropriately monetized, specifically by being sold to lawyers seeking participants for class action lawsuits. While Epic lacks definitive proof the data has been used in legal cases, evidence suggests attempts to do so. One defendant reportedly boasted the ability to retrieve a client’s complete medical records in under 48 hours, while another advertised same-day retrieval for law firms. A third claimed to directly access records from providers’ EHRs.

II. Key Players and Their Roles

• Epic Systems: The plaintiff in the lawsuit, a dominant EHR vendor used by roughly 42% of US hospitals, reporting $5.7 billion in revenue in 2024. CEO is Judy Faulkner.
• Health Gorilla: Allegedly enabled the unauthorized access, acting as a gatekeeper for patient record exchange. Epic claims Health Gorilla “knowingly participated in and enabled the abuse.”
• Carequality: A nonprofit network handling over 1.2 billion records monthly for approximately 70% of US hospitals. The lawsuit alleges all fraudulent activity occurred through Carequality. Carequality outsources user vetting to intermediaries like Health Gorilla.
• Reed Health, Trinity Health, and UMass Memorial Health: Co-plaintiffs alongside Epic Systems.
• Metroport (Dimma Ganchonov, CEO): Argues that interoperability is “definitely a net positive” for the US healthcare system, eliminating the need for physical record transport.

III. The Interoperability Paradox

The lawsuit highlights a critical tension within healthcare’s push for interoperability. While the digital exchange of patient data is generally beneficial, it has created complex systems vulnerable to abuse. The issue isn’t simply medical providers requesting data, but the ability for other entities to access it as well. Carequality, despite handling a massive volume of records, relies on outsourcing vetting processes and lacks a legal obligation to verify the work of gatekeepers like Health Gorilla. A Carequality member, speaking anonymously, stated, “Everybody whispers about it, and I wasn’t surprised to see this lawsuit.”

IV. Data Access and Patient Awareness

The lawsuit centers on non-treatment related data requests, which are generally prohibited. While legitimate non-treatment uses exist (e.g., insurers verifying care), requests from marketers or lawyers are considered violations. Crucially, patients are largely unaware their data has been accessed, as Carequality does not provide a mechanism for patients to track who has viewed their records. This lack of transparency exacerbates the privacy risk.

V. Previous Legal Battles and Industry Context

This isn’t Epic’s first foray into legal disputes regarding data access. In 2024, Particle Health sued Epic, alleging monopolistic behavior, to which Epic responded by accusing Particle of enabling improper record access. This ongoing legal battle has already influenced new federal data sharing rules aimed at restricting access for non-medical providers. Health Gorilla frames Epic’s lawsuit as “exclusionary,” referencing Epic’s dominant position in the industry and past criticisms.

VI. Potential Outcomes and Reforms

If Epic succeeds in its lawsuit, it could trigger reforms within Carequality or through TEFCA, a government-backed system designed to improve data sharing. These reforms could focus on strengthening vetting processes, increasing oversight of gatekeepers, and enhancing patient control over their data.

Notable Quotes:

• Epic Systems (regarding alleged actors): “bad actors have been marauding its medical facilities to steal and misuse at least 295,000 patient records.”
• Dimma Ganchonov (Metroport CEO): “definitely a net positive in the US as it eliminates the need for patients to transport physical binders of medical records between providers.”
• Carequality Member (anonymous): “Everybody whispers about it, and I wasn’t surprised to see this lawsuit.”
• Health Gorilla: describes Epic’s actions as “exclusionary.”

Conclusion:

The Epic Systems lawsuit underscores the significant privacy risks inherent in the increasing digitization and interoperability of healthcare data. While data sharing offers substantial benefits, the current system’s vulnerabilities, particularly within networks like Carequality, allow for unauthorized access and monetization of sensitive patient information. The outcome of this lawsuit, and the potential reforms it may inspire, will be crucial in balancing the need for data exchange with the fundamental right to medical privacy.