MENA Newswire, LOS ANGELES: Epic Systems and several U.S. healthcare providers have filed a federal lawsuit alleging that a health information network and related companies improperly accessed and monetized nearly 300,000 patient medical records through national data-sharing systems designed for treatment. The complaint says the records were obtained without patient knowledge or consent and included sensitive details such as names, diagnoses, medications, and lab and test information.
The suit was filed on Jan. 13 in the U.S. District Court for the Central District of California and names Health Gorilla Inc., a California-based company involved in facilitating access to medical record exchange networks, along with multiple affiliated or customer entities. Epic, based in Wisconsin, is a major electronic health records software vendor and says the alleged activity involved misuse of interoperability pathways used by hospitals, clinics, and other care organizations.
According to the complaint, the defendants obtained records by presenting themselves as legitimate healthcare providers or by using provider credentials to request data under a treatment-related purpose. The plaintiffs allege that the access patterns were inconsistent with routine clinical care and that the data was then used for non-treatment purposes. The filing says the conduct undermined patient privacy and imposed investigative and protective costs on Epic and participating health systems.
The complaint describes what it characterizes as coordinated methods to move records from exchange networks into downstream uses unrelated to medical treatment. In one described flow, a company was allegedly validated as a provider that needed records to facilitate care, and information was then transmitted to another entity that, the lawsuit alleges, sells medical records to attorneys seeking potential claimants for litigation tied to specific diagnoses. The suit also alleges the use of multiple entities to continue large-volume requests after scrutiny increased.
Allegations focus on misuse of interoperability channels
The plaintiffs include Epic and several healthcare organizations, including OCHIN, Reid Health, Trinity Health, and UMass Memorial Health, which the lawsuit says were affected through records accessed from members of the Epic user community. Epic also said the scale of the issue could extend beyond its customer base, alleging an additional unknown number of records may have been taken from organizations nationwide, including the U.S. Department of Veterans Affairs and providers using other electronic health record systems.
Health Gorilla is described in the filings and related statements as a participant in modern health data exchange infrastructure, including roles connected to nationwide interoperability frameworks. The lawsuit alleges those pathways were exploited through improper attestations and validation processes that allowed certain entities to request and retrieve records. The complaint also alleges that some defendants inserted inaccurate or unnecessary information into records in ways that created administrative burdens and raised patient safety concerns.
The lawsuit seeks a court order to bar the defendants from further accessing patient medical records through the exchange systems at issue and to require the destruction of any records obtained through the alleged improper methods. The plaintiffs also seek damages, citing claimed reputational harm and expenses associated with investigating the access, responding to concerns from affected organizations, and developing tools and safeguards intended to prevent similar incidents. Epic has declined to comment publicly beyond its stated position in the case filings and related materials.
Health gorilla disputes wrongdoing as case moves to court
Health Gorilla has denied the allegations and said it plans to defend itself. In public statements reported in coverage of the filing, the company said it has worked with Epic when concerns were raised about certain entities’ activity and rejected claims that it enabled misuse of patient data. Other defendants named in the complaint did not immediately provide public comment in the initial reporting window following the filing.
The case lands amid heightened scrutiny of how health data moves across networks built to support care coordination, referrals, and timely access to patient histories. U.S. interoperability initiatives have expanded the ability of providers to retrieve records across organizations, but the same scale and automation can increase the impact of improper access if controls fail or credentials are misused. The complaint frames the dispute as a test of safeguards, verification, and accountability across connected health information exchange systems.
Court records identify the matter as Epic Systems Corporation v. Health Gorilla Inc., case number 2:26-cv-00321, in the Central District of California. The complaint outlines the plaintiffs’ claims under federal and state legal theories tied to patient information privacy and alleged improper access to protected health information. The defendants will have an opportunity to respond in court, and early proceedings are expected to address injunction requests and preservation of evidence related to the contested record access.