Earlier this month, Epic, along with a handful of healthcare suppliers, filed a federal lawsuit towards well being information community Health Gorilla aimed toward stopping an alleged scheme to take advantage of and monetize affected person medical information with out consent.
Finally, the dispute displays unresolved ambiguities in how information interoperability must be ruled throughout the healthcare {industry}. Consultants suppose the lawsuit is much less about stopping one unhealthy actor — and extra about the necessity to outline standardized guidelines and limits round healthcare information alternate.
Alleged conspiracy to monetize affected person information
The complaint, filed January 13, claims that Well being Gorilla enabled different corporations to inappropriately entry and monetize practically 300,000 affected person medical information. Well being Gorilla has denied the allegations.
The plaintiffs are Epic, Trinity Health, UMass Memorial Health, Reid Health and OCHIN. They allege that Well being Gorilla and a community of different corporations arrange fictitious healthcare suppliers, shell web sites and faux supplier IDs to make it seem like information requests have been for actual therapy functions. As a substitute, the info was allegedly diverted for non-treatment makes use of — resembling advertising and marketing to legal professionals searching for potential claimants for lawsuits.
The opposite corporations concerned within the community are a cluster of small telehealth, information and shell corporations — many allegedly linked to the identical founders and operators — that the plaintiffs say have been used to pose as reliable suppliers.
The criticism additionally said that the defendants inserted “junk” data into information to cover their exercise and provides the looks of real care, which in flip risked affected person security and wasted clinician time.
When one fraudulent entity was uncovered, the identical actors allegedly created new corporations to proceed the identical conduct, working “like a Hydra,” in line with the lawsuit.
The lawsuit alleges violations of HIPAA, in addition to different federal and state privateness protections. It additionally frames the scheme as threatening each affected person privateness and the integrity of interoperable well being information sharing methods.
The plaintiffs are searching for injunctive aid to right away put an finish to the alleged misconduct.
Well being Gorilla is “absolutely ready” to defend its conduct, in line with a statement launched this week by CEO Bob Watson.
“Epic’s lawsuit not solely fails to offer all of the information, however displays an irresponsible use of litigation as a weapon somewhat than to advance severe claims. As Epic is aware of, when Well being Gorilla discovered of the allegations Epic raises in its criticism, Well being Gorilla instantly suspended the connections in query and started investigating their use of healthcare information,” Watson said.
Though Well being Gorilla’s investigation remains to be ongoing, the connections in query have remained suspended, he added.
Watson additionally stated that “Epic has executed the equal of shouting ‘hearth’ in the course of a crowded theater” relating to interoperability, suggesting that the EHR big’s claims might unnecessarily alarm the {industry} and disrupt progress towards reliable information alternate.
Interoperability vs. governance
The core concern of this authorized battle isn’t interoperability — it’s governance, identified Jackie Mattingly, senior director of consulting companies at healthcare safety and compliance agency Clearwater.
“It’s not a case about interoperability failing — it’s the governance that’s lagging behind. Clearly we do want interoperability — as a result of we journey, and we go to completely different locations, and our information must be accessible. However the governance hasn’t caught up,” she declared.
Governance weakens as soon as information leaves the EHR, Mattingly famous. Whereas hospitals sometimes have robust controls inside their EHRs, oversight can crumble when information flows to exterior platforms, analytics instruments and third events. Accountability doesn’t finish when information leaves Epic, she stated.
She thinks entry controls should get stricter, saying that granting information entry can’t be a “set it and neglect it” course of. Healthcare organizations want purpose-based entry controls and steady reassessment of whether or not information sharing remains to be justified, Mattingly said.
That hole between technical interoperability and accountability is more and more seen as a systemic flaw in at the moment’s information sharing infrastructure. One other healthcare chief — Tyler Giesting, director of healthcare M&A at West Monroe — stated that the lawsuit exposes shortcomings and ambiguities in TEFCA’s present guidelines for exchanging scientific information. The Trusted Trade Framework and Widespread Settlement (TEFCA) is a federal initiative designed to standardize guidelines and technical requirements for nationwide well being information alternate.
The framework is new and nonetheless evolving, so it lacks clear, enforceable definitions round who can entry information and for what functions, Giesting famous.
To him, this case highlights the necessity for stricter, probably federally-led requirements governing nationwide information alternate.
And it’s not the one current authorized battle that has shone mild on this concern — previously two years, courts have additionally seen lawsuits towards information brokers like BetterHelp and Meta over alleged misuse of delicate well being information, in addition to disputes involving EHR distributors and interoperability networks over how affected person data might be shared.
Suppliers are involved about the issue too. Final week, greater than 60 well being methods — together with Stanford Health Care and NYU Langone Health — sent a letter to Mariann Yeager, CEO of The Sequoia Project, a nonprofit that influences the governance of well being information sharing networks, demanding higher oversight and transparency.
Closing the gaps
In Giesting’s view, the {industry} would profit by shifting to a “belief however confirm” framework.
“[TEFCA] is a trust-based mannequin. I believe the lawsuit is doubtlessly exposing that there could have to be some sort of a shift to a ‘belief however confirm’ mannequin. Is the particular person requesting the well being data, actually who they are saying they’re? And have they got a licensed motive to obtain the scientific report? That’s not absolutely ironed out within the present framework,” he said.
TEFCA additionally has grey areas round third-party information use, Giesting added. The framework doesn’t clearly handle eventualities the place information is requested for functions outdoors direct affected person care — so Well being Gorilla might argue it adopted current guidelines and TEFCA steerage as a chosen certified well being data community.
The lawsuit might make healthcare organizations extra cautious about sharing information, Giesting predicted. He thinks some corporations could restrict participation in TEFCA or information alternate to keep away from privateness or authorized dangers.
He famous that this might sluggish progress on industry-wide interoperability till clearer federal steerage emerges — echoing the considerations raised by Watson, Well being Gorilla’s CEO.
Regardless of this near-term friction, interoperability is simply too central to healthcare — by way of value management, data-driven care enhancements and scientific analysis innovation — to vanish, Giesting stated.
He famous that the case underscores a broader sample: private-sector innovation strikes sooner than regulation — particularly within the healthcare world.
“I believe the non-public sector usually form of pushes the bar to the following part. Even with AI, there will probably be innovation, after which regulatory measures will catch up. I believe that’s what’s occurring right here, and it simply factors out the significance of getting very shut coordination between corporations within the expertise ecosystem, like Epic and Well being Gorilla,” Giesting remarked.
Boosting oversight to guard belief
As a way to enhance information sharing throughout the sector, interoperability frameworks should actively implement guidelines, not simply transfer information, in line with Jason Prestinario, CEO of knowledge platform Particle Health.
He argued that frameworks like TEFCA and Carequality can’t be “passive pipes,” saying they want higher oversight, compliance monitoring and enforcement. After they fail to do that, belief breaks down, he said.
Particle Well being is coping with an Epic lawsuit of its personal, although on this case Epic is the defendant and never the plaintiff. In September 2024, Particle Well being sued Epic over claims that the EHR vendor is utilizing its dominance out there to forestall competitors within the payer platform area. The criticism claims that Epic imposed technical and contractual boundaries that restricted entry to affected person information, which has successfully blocked rivals from constructing competing payer-facing platforms. Final September, a federal decide advanced the antitrust lawsuit.
Despite the fact that Particle and Epic aren’t on the friendliest phrases proper now, Prestinario nonetheless believes that Epic is elevating reliable considerations about suspicious exercise and the necessity for stronger protections in well being information alternate.
He famous that Epic’s criticism stated that it had raised considerations to Well being Gorilla and different community contributors about suspicious information entry and potential misuse of affected person information a number of months earlier than submitting the lawsuit.
“Underneath the idea that that timeline is correct, that’s unacceptable. It places each single implementer on the market, together with Particle, in a tough place,” Prestinario declared.
In different phrases, if what Epic is alleging is true, then this lack of transparency and insufficient information management poses a systemic threat to interoperability and competitors within the well being information ecosystem.
Epic allegedly had no visibility into what was investigated or how. Prestinario warned that this lack of transparency can erode belief and prohibit reliable information entry.
In his view, scandals like this have two damaging results: they usually result in lowered participation in nationwide well being information alternate, in addition to tighter restrictions on needed information entry below the guise of safety.
“Each scandal turns into a motive to limit entry, and I fear that this units up a dynamic the place Epic finally says, ‘We’re out of those frameworks fully.’ The reply to all of this isn’t much less interoperability. It’s not for us to maneuver away from the democratization of reliable information entry. It’s higher enforcement of the principles on all sides,” Prestinario remarked.
He stated he hopes the {industry} can tighten safeguards whereas conserving information accessible.
Picture: Aitor Diago, Getty Photographs
