Skip to main content

Medical Records Sold to Lawyers Without Patients Knowledge or Consent


Telehealth GuardDog Accesses Sensitive Medical Records Under False Pretenses - CyberStop

■  BLUF — Bottom Line Up Front

A network of companies posing as legitimate healthcare providers fraudulently gained access to the private medical records of nearly 300,000 patients stored in the Epic electronic health records (EHR) system — then sold those records to law firms seeking plaintiffs for mass-tort class action lawsuits, all without patient knowledge or consent. Epic Systems and four major health systems filed a federal lawsuit in January 2026 exposing the scheme. In March 2026, one defendant — GuardDog Telehealth — admitted in court that it did exactly what the lawsuit alleged. The case is ongoing, raises serious HIPAA privacy concerns, and has triggered calls for federal regulators to strengthen oversight of the health data exchange infrastructure on which millions of patients depend.

Introduction: Why This Story Matters to You

When you sit down with your doctor and share details about your prostate cancer diagnosis, your PSA levels, your treatment side effects, or your mental health — you do so with an expectation of complete privacy. You trust that information will stay within the circle of people directly caring for you.

A troubling federal lawsuit has revealed that this trust may have been seriously violated — not by hackers breaking through firewalls, but by companies that exploited the very system built to help your doctors share your records when you need care. This is the story of how that happened, who is responsible, and what patients can do to protect themselves.

Background: How Your Medical Records Are Shared

Modern healthcare relies on a system of electronic medical record sharing. When you visit a new specialist, an emergency room, or a telehealth service, your doctors may legally request your prior records from other providers in order to give you the best possible care. Two national frameworks — Carequality and TEFCA (Trusted Exchange Framework and Common Agreement) — are the digital highways that carry these records. Together, they facilitate close to one billion patient-record exchanges every month.

Epic Systems, headquartered in Verona, Wisconsin, is the dominant player in this ecosystem. Its EHR software manages medical records for more than 300 million patients — roughly 90% of the American population. Any provider or data company participating in Carequality or TEFCA agrees, as a condition of membership, to follow federal law — specifically HIPAA — and to request records only for legitimate purposes, primarily patient treatment.

Between the EHR platforms (like Epic) and the organizations requesting records sit companies called "health information network on-ramps" or technology implementers. One of the most prominent of these is Health Gorilla, a Silicon Valley-based health data exchange company. Health Gorilla acts as a gatekeeper: it vets and onboards companies that want to access records through Carequality and TEFCA, then facilitates those record requests on their clients' behalf.

📄  Key Terms Explained
  • EHR (Electronic Health Record): Your complete digital medical file, including diagnoses, lab results, medications, and treatment history.
  • HIPAA: The federal Health Insurance Portability and Accountability Act. It protects your private health information and requires your consent before it can be shared for non-treatment purposes.
  • Carequality / TEFCA: Nationwide frameworks that allow authorized healthcare providers to securely exchange patient records for care coordination.
  • Health Information Network (HIE) On-Ramp: A company that manages access to these frameworks, vetting who is allowed to request and receive patient records.
  • Purpose of Use: Under HIPAA, health records may only be shared for specific authorized reasons — primarily treatment, payment, or healthcare operations.

The Alleged Scheme: How Patients' Records Were Stolen

According to the lawsuit filed January 13, 2026, in the U.S. District Court for the Central District of California, a network of small companies — many allegedly linked to the same small group of founders and operators — exploited Health Gorilla's on-ramp to Carequality and TEFCA to fraudulently access patient records on a massive scale.

Here is what the plaintiffs allege happened, step by step:

Step 1: Set Up a Fake Provider Identity

The companies created fictitious healthcare provider identities — complete with fake websites designed to look like legitimate medical practices, shell company names that sounded clinical, and fraudulent National Provider Identification (NPI) numbers used to impersonate real medical providers.

Step 2: Join the Network Through Health Gorilla

Using these false identities, the companies joined the Carequality and TEFCA health data exchange networks through Health Gorilla, which serves as a gatekeeper and on-ramp. The lawsuit alleges Health Gorilla conducted little to no meaningful vetting of these participants before granting them access.

Step 3: Request Patient Records Under False Pretenses

Once inside the network, these companies could request patient records from any participating provider — including Epic — simply by providing basic demographic information like a patient's name and address, and claiming the request was for treatment purposes. No actual treatment was being provided.

Step 4: Sell the Records to Law Firms

Instead of using the records for patient care, the companies allegedly sold or provided the data to law firms seeking to identify potential plaintiffs for mass-tort and class action lawsuits. The records contain precisely the kind of sensitive details — specific diagnoses, conditions, lab values — that would help attorneys find patients who might qualify as claimants.

Step 5: Cover the Tracks

To disguise their activity, the lawsuit alleges these companies inserted meaningless "junk" clinical data into patient records to create the false impression that actual care was being documented. This not only helped them avoid detection — it risked confusing real treating physicians who might later review those falsified entries, posing a direct patient safety hazard.

Step 6: Repeat Under a New Name When Caught

The lawsuit describes the operation as functioning "like a Hydra." When one company was exposed and banned from the network, the same operators simply incorporated a new company and resumed the same activity under a different name.

"Defendants in this case are precisely the sort of malefactors that plague the interoperability system, viewing patient records as a liquid commodity to exploit and thereby reducing patients' ability to control their own health information." — Epic Systems et al., Federal Complaint, U.S. District Court, Central District of California, January 13, 2026

Who Filed the Lawsuit — and Who Is Being Sued?

Epic did not act alone. The lawsuit was filed jointly by Epic Systems and four major nonprofit healthcare systems:

  • OCHIN Inc. — a nonprofit health IT organization serving community health centers across the country
  • Reid Hospital & Health Care Services (Reid Health) — Indiana
  • Trinity Health Corporation — one of the largest Catholic nonprofit health systems in the U.S.
  • UMass Memorial Health Care Inc. — Central Massachusetts's largest health system

The primary defendant is Health Gorilla, the Silicon Valley health data exchange company accused of enabling its clients' access to patient records without adequate vetting. Additional defendants include:

Defendant Alleged Role
Health GorillaPrimary on-ramp; allegedly failed to vet clients, enabling improper access
RavillaMed PLLC / Avinash RavillaAlleged fake provider requesting records
LlamaLab, Inc.Medical record retrieval company catering to law firms
Mammoth Dx / Mammoth Rx / Unique Medi Tech LLCCompanies allegedly linked to operators of other banned entities
Unit 387 LLC / Meredith ManakAlleged intermediary data broker
SelfRx, LLC (Myself.Health)Alleged shell company posing as patient-facing health tool
GuardDog Telehealth (Critical Care Nurse Consultants, LLC) / Keli HeskettAdmitted to providing patient records to law firms
Hoppr, LLCNamed in complaint as associated entity

The lawsuit asserts claims of fraud, aiding and abetting fraud, breach of contract, and violations of the Federal Computer Fraud and Abuse Act, and alleges violations of HIPAA privacy protections. The plaintiffs are seeking a permanent injunction barring the defendants from accessing health information exchange networks, the return or destruction of all improperly obtained records, and financial damages.

What Records Were Involved — And Could Yours Be Among Them?

The lawsuit states that at least 300,000 patient medical records from Epic's community of healthcare partners were improperly accessed — in addition to an unknown number of records taken from other providers nationwide, including from the U.S. Department of Veterans Affairs (VA) and providers using other EHR systems.

The files accessed are not limited to names and contact information. They include the kinds of deeply sensitive data that patients share with their doctors in confidence:

⚠  Types of Sensitive Data Allegedly Accessed Without Consent

Medical diagnoses (including cancer diagnoses) • Laboratory and test results • Medication lists • Mental health treatment records • Genetic information • Reproductive health information • Treatment histories and clinical notes

For prostate cancer patients in particular, this is alarming. Your records may contain PSA test results, biopsy reports, Gleason scores, hormone therapy regimens, radiation therapy details, and information about participation in clinical trials — precisely the kind of specific clinical profile a law firm might use to identify potential plaintiffs for certain types of litigation.

A Two-Year History: How This Crisis Unfolded

This was not an overnight scandal. The warning signs began emerging in early 2024, when Epic first became concerned that certain companies accessing patient records through intermediaries were not using the data for genuine patient treatment.

March 2024 — First Alarms

Epic filed a formal dispute with Carequality, alleging that a startup called Particle Health was facilitating access to patient records for companies whose purposes were not treatment-related. Epic notified its provider customers and cut off data access for a subset of Particle Health's clients, citing potential HIPAA Privacy Rule violations. Particle Health disputed this action, calling it anticompetitive.

April 2024 — The Data Market Allegation Surfaces

Epic reported learning that a company called Integritort — a Particle Health client — was using patient data to identify potential participants in class action lawsuits. Epic also flagged a company called Novellia, which publicly marketed a "personal health tool" while claiming to access records under the treatment purpose. Multiple companies declined to comment.

September 2024 — Antitrust Counter-Lawsuit Filed

Particle Health responded to Epic's crackdown by filing a federal antitrust lawsuit, alleging that Epic — which manages health information on up to 94% of Americans — was using its dominant market position to illegally block competition in the emerging "payer platform" market. Epic called the lawsuit a diversion from Particle's own HIPAA violations. The antitrust litigation is still ongoing.

October 2024 — Integritort Banned; New Companies Appear

Integritort was banned from Carequality. Almost immediately, according to Epic's January 2026 lawsuit, its former CEO co-founded a new company called Mammoth, which began accessing patient records through Health Gorilla — demonstrating the "Hydra" pattern of reconstituting under new names.

January 13, 2026 — Federal Lawsuit Filed

Epic, OCHIN, Reid Health, Trinity Health, and UMass Memorial Health filed their federal complaint in the U.S. District Court for the Central District of California against Health Gorilla and a network of associated companies, alleging fraud, HIPAA violations, and exploitation of nearly 300,000 patient records.

February 2026 — Health Gorilla Fights Back

Health Gorilla filed a motion to dismiss Epic's lawsuit, calling it "an attack on interoperability" and accusing Epic of using litigation to restrict competition in health data exchange. Health Gorilla's CEO stated that the company had acted in good faith and had suspended the connections in question as soon as concerns were raised.

March 13, 2026 — First Major Admission Filed in Court (Publicly Reported March 18)

GuardDog Telehealth and the plaintiffs filed a Stipulation Re: Judgment and Permanent Injunction (Doc. 75, Case No. 2:26-cv-00321-FMO-RAO, Hon. Fernando M. Olguin) in which GuardDog admitted its entire business consisted of requesting patient records and providing them to law firms — not patient care. Predecessor company Critical Care Nurse Consulting LLC ran the same operation from 2022–2024. The filing also revealed defendant Unit 387 LLC had secretly impersonated CCNC to make unauthorized record requests. GuardDog received a permanent injunction and is required to delete all improperly obtained records within one week of court entry of judgment.

The First Crack: GuardDog Telehealth Admits the Truth in Court

The Stipulation Re: Judgment and Permanent Injunction — filed on March 13, 2026 as Document 75 in Case No. 2:26-cv-00321-FMO-RAO, before the Honorable Fernando M. Olguin in the U.S. District Court for the Central District of California — is the most significant legal development in the case to date. Signed by Akin Gump Strauss Hauer & Feld LLP on behalf of the plaintiffs and Umhofer, Mitchell & King LLP on behalf of GuardDog, it represents the first binding court admission that the scheme Epic described actually occurred.

The filing contains a series of specific, numbered factual admissions from GuardDog. Here is what the company admitted to, directly from the court document:

"GuardDog admits that, since it began operating as a company in 2024, its goal was to provide chronic care management ('CCM') and remote patient monitoring ('RPM') for patients, but that did not happen. For the duration of its existence, its business instead focused on requesting, reviewing, and summarizing medical records, and providing those medical records to law firms." — Stipulation Re: Judgment and Permanent Injunction, ¶ 5, Case No. 2:26-cv-00321-FMO-RAO, Doc. 75 (C.D. Cal., filed March 13, 2026)

The filing goes further, acknowledging a multi-year chain of deception involving multiple entities:

📄  What the Court Filing Actually Says — Key Admissions (¶¶ 5–10)
  • ¶ 5 — The Core Admission: GuardDog's stated mission of providing patient care "did not happen." Its entire business was requesting, reviewing, and summarizing records, then handing them to law firms. Its predecessor company, Critical Care Nurse Consulting LLC (CCNC), ran the same operation from 2022 to 2024.
  • ¶ 6 — False Treatment Claims: GuardDog obtained medical records in 2024 through the Carequality Framework "by asserting a treatment purpose for those records" — and admits some of those records may have been records of patients belonging to Reid Health, Trinity Health, and UMass Memorial Health.
  • ¶ 7 — Unit 387's Role: GuardDog's predecessor CCNC accessed Carequality indirectly through defendant Unit 387 LLC, whose representative Meredith Manak told CCNC it was "permissible" to access the framework for the purpose of requesting records and providing them to law firms.
  • ¶ 8 — Unit 387 Stole CCNC's Identity: GuardDog discovered that Unit 387 had been impermissibly "holding itself out as CCNC" — requesting records under CCNC's credentials without CCNC's knowledge or permission. GuardDog did not discover the full extent of this until 2025. GuardDog then obtained its own direct Carequality access through Health Gorilla after reporting this identity theft to Health Gorilla.
  • ¶ 9 — Health Gorilla's Alleged Awareness: GuardDog states that "at the time GuardDog was connected to the Carequality Framework, GuardDog understood and believed that Health Gorilla was aware of GuardDog's business activities in requesting, reviewing, and summarizing medical records, and providing those medical records to law firms."
  • ¶ 10 — Who Told GuardDog It Was Legal: GuardDog states it believed its activities were permissible "based on conversations with and representations made by Meredith Manak of Unit 387 and representatives of Health Gorilla."

It is important to note the legal precision of these admissions: the filing states that GuardDog "neither admits nor denies any of the allegations in the Complaint, except as specifically stated in this Judgment" (¶ 3), and that "the factual stipulations provided herein are made solely for the limited purpose of supporting jurisdiction, entry, and enforcement of this Judgment" (¶ 4). In other words, these admissions are legally binding for the purpose of this judgment, but GuardDog is not making broader confessions about the totality of allegations in the original complaint.

The lawsuit against GuardDog covered four counts: fraud (Count III), aiding and abetting fraud (Count VI), violation of California Business & Professions Code § 17200 (Count VII), and violation of the Computer Fraud and Abuse Act (Count X). Judgment was entered for the plaintiffs on all four counts (¶ 15), and the court directed final judgment under Federal Rule of Civil Procedure 54(b) (¶ 16).

Notably, the plaintiffs agreed not to seek monetary damages from GuardDog (¶ 11), and both parties will bear their own attorneys' fees (¶ 24). In exchange, GuardDog received a full release of all claims related to the conduct described in the complaint (¶ 18).

✏  Permanent Injunction Terms (¶ 17) — What GuardDog Must Do
  • Permanently enjoined from requesting any records through TEFCA or Carequality — applies to GuardDog, all affiliates, subsidiaries, and any successor entities formed by spin-off, merger, reorganization, or otherwise
  • Required to delete all patient health information obtained from TEFCA or Carequality within one week of court entry of judgment (except documentation required to preserve for ongoing litigation)
  • Permanently enjoined from any further use or dissemination of any patient health information obtained from those frameworks
  • Consented to continuing jurisdiction of the court for purposes of enforcing the judgment (¶ 22–23)
  • Waived all rights to appeal the judgment (¶ 21)

Health Gorilla's Defense: "This Is About Competition, Not Privacy"

Health Gorilla has vigorously denied all of Epic's core allegations. The company calls Epic's lawsuit "an attack on interoperability that threatens patient safety and efficient healthcare nationwide." Health Gorilla CEO Bob Watson stated that when the company learned of Epic's concerns, it "immediately suspended the connections in question and began investigating their use of healthcare data."

Responding to the GuardDog consent judgment, Health Gorilla argued that GuardDog's filing does not establish that Health Gorilla knew about the misuse of patient records — and noted that when it tried to investigate GuardDog, the company had refused to cooperate.

Health Gorilla and other critics, including Particle Health in its ongoing antitrust lawsuit, argue that Epic is using its dominant market position — managing records for approximately 90% of Americans — to block competitors from the growing market for health data services. They contend that Epic's actions, including cutting off network access to companies it dislikes, reflect "broader monopolistic practices" rather than a genuine concern for patient privacy.

This is a genuinely contested legal and policy question, and one the courts will ultimately need to resolve. It is worth noting, however, that the GuardDog consent judgment — an admission made in court under penalty of law — confirms that at least some of the alleged misconduct described by Epic did in fact occur, whatever Health Gorilla's role may have been.

The Bigger Picture: A Broken System of Oversight

Legal experts and healthcare technology executives say this scandal exposes a fundamental structural problem: the rules governing who can access patient records in the national data exchange system have not kept pace with the technology's growth.

Under HIPAA, health records can be legally shared for treatment, payment, and healthcare operations — but there is a significant "gray zone" involving secondary uses, such as population health analytics, insurance company data needs, and other non-treatment purposes. This ambiguity has created opportunities for bad actors to exploit the system.

Critically, the Carequality and TEFCA frameworks are not currently required under federal law to exhaustively vet every entity that requests access to patient records. Once a company is admitted to the network by an on-ramp like Health Gorilla, it can retrieve records from any participating provider simply by providing basic patient demographic information and asserting a treatment purpose. There is limited real-time verification of whether the requesting entity is actually providing care.

Former National Coordinator for Health IT Dr. Don Rucker put it plainly in comments to industry media: if HIPAA's requirements — that patient data sharing require patient permission, a payer or provider relationship, and a signed business associate agreement — were strictly enforced, the kind of scheme Epic describes would be much harder to execute.

The lawsuit has opened what STAT News described as "a Pandora's box," forcing the U.S. Department of Health and Human Services (HHS) to consider potential policy changes to strengthen oversight of health information exchanges. Industry analysts warn, however, that any regulatory changes in this space could be unduly shaped by Epic itself — as the dominant player with the most to gain from stricter gatekeeping rules.

Meanwhile: Texas Attorney General Sues Epic for Its Own Alleged Data Misconduct

In a significant complication to Epic's role as a patient privacy champion in this case, Texas Attorney General Ken Paxton filed a separate lawsuit against Epic Systems in December 2025, accusing the company of its own violations of data rights and anticompetitive practices.

The Texas case alleges that Epic has positioned itself as a monopolistic gatekeeper over patient data — blocking competition, restricting lawful access to records, and penalizing hospitals that attempt to work with rival EHR vendors or third-party application developers. Texas also alleges that Epic's systems are preconfigured to remove parental access to children's medical records once a child turns 12, in violation of Texas law. The Texas lawsuit brings claims under the Texas Free Enterprise and Antitrust Act.

In other words, while Epic is suing others for allegedly misusing the patient data exchange system, it is simultaneously facing its own lawsuit for allegedly misusing its dominant control over that same system to harm competition and restrict legitimate access to records. Patients should be aware of both sides of this complex picture.

The Patient's Dilemma: No Real Choice, No Easy Exit

Here is the uncomfortable truth that lies at the heart of this case: for most patients, there is no meaningful way to opt out of Epic's network — and opting out would be bad for your health anyway.

Epic manages medical records for more than 325 million Americans — approximately 90% of the U.S. population. Major San Diego health systems including UCSD Health and Scripps Health both use Epic as their EHR platform, as do the vast majority of large health systems nationwide. For a prostate cancer patient coordinating care across a urologist, an oncologist, a radiation center, and a primary care physician — potentially at more than one institution — opting out of Epic's interoperability network is not a realistic option. The alternative is the pre-digital era: schlepping paper files from office to office, submitting records requests to be faxed across town, and hoping your new specialist had your complete history before making a treatment decision.

That old system was its own patient safety disaster. Delayed or incomplete records led to repeated diagnostic tests, missed drug interactions, and physicians making critical decisions without full information. The modern interoperability framework — for all its current vulnerabilities — exists precisely because the status quo it replaced was genuinely dangerous to patients.

⚠  The Core Paradox

The very success of health data interoperability — the fact that it works so well, carries so much sensitive information, and is used so widely — is exactly what made it valuable enough to exploit. The system was built on a trust model designed for a world of legitimate healthcare organizations. It was not designed for shell companies with fake websites and fraudulent provider ID numbers that could request your records by providing nothing more than your name and address.

The governance gap is real and specific: the Carequality and TEFCA frameworks are not currently required under federal law to exhaustively vet every entity seeking access to patient records. Once a company is admitted through an on-ramp like Health Gorilla, it can retrieve records from any participating provider with minimal verification of whether it is actually providing care to the patient whose records it is requesting.

This case has forced that structural problem into the open at the federal level. The lawsuit has compelled the U.S. Department of Health and Human Services to begin considering policy changes to strengthen oversight of health information exchanges — though experts caution that any regulatory overhaul in this space risks being shaped disproportionately by Epic itself, given its dominant market position.

As one former National Coordinator for Health IT framed it: the underlying answer may simply be stricter enforcement of what HIPAA already says — that sharing patient data requires patient permission, a documented payer or provider relationship, and a signed business associate agreement. If those requirements were rigorously verified before any entity could pull records through these networks, the scheme described in this lawsuit would be dramatically harder to execute.

For now, patients in San Diego and across the country remain in the same position: dependent on a system whose benefits are real and whose governance is inadequate. The answer is not to go back to faxing records across town. It is to make the system that replaced faxes worthy of the trust it demands — and this lawsuit, whatever its ultimate legal outcome, has done more than perhaps any prior event to force that reckoning.

What This Means for Prostate Cancer Patients

For members of the IPCSG community, this case is more than an abstract legal dispute. Your medical records are among the most sensitive in the healthcare system. A prostate cancer diagnosis, a record of hormone therapy or chemotherapy, a note about urinary incontinence or sexual dysfunction — this is deeply personal information. The idea that it may have been accessed without your consent and handed to a law firm is deeply troubling.

While there is no current list of which specific patients had their records accessed in this scheme, the scale — 300,000 confirmed records, plus an unknown number from VA patients and those at providers using other EHR systems — means the population affected could be substantial.

✓  What You Can Do Right Now
  • Request your medical records: Under HIPAA, you have the right to obtain a complete copy of your health records from any provider. Request and review them periodically to check for any entries you don't recognize — including possible "junk" data entries that the lawsuit alleges bad actors inserted into records.
  • Ask your provider about data exchange practices: Ask your oncologist, urologist, or primary care physician whether their health system participates in Carequality or TEFCA networks, and what vetting procedures are in place for entities that request your records.
  • File a complaint if you suspect a violation: If you believe your health information may have been improperly shared, you can file a complaint with the HHS Office for Civil Rights (OCR) at hhs.gov/hipaa/filing-a-complaint.
  • Monitor your mail and communications: If you receive unusual solicitations from law firms about joining class action lawsuits related to your health conditions — particularly out of the blue — this could be a sign your records were among those accessed. Note the firm's name and contact your state bar association if concerned.
  • Stay informed: Follow this newsletter and reputable health news sources for updates as this case progresses. The case is actively in litigation, and further revelations are expected.

Current Status of the Litigation (as of March 30, 2026)

The federal lawsuit — Epic Systems Corp. et al. v. Health Gorilla et al., U.S. District Court, Central District of California, Case No. filed January 13, 2026 — is actively proceeding. Key current status items:

  • GuardDog Telehealth filed a Stipulation Re: Judgment and Permanent Injunction on March 13, 2026 (Doc. 75, Case No. 2:26-cv-00321-FMO-RAO, Hon. Fernando M. Olguin). GuardDog admitted misconduct and agreed to a permanent injunction covering itself and all affiliates/successors. Judgment was entered for plaintiffs on four counts (fraud, aiding and abetting fraud, California UCL § 17200, and Computer Fraud and Abuse Act). Awaiting formal court entry of the judgment to trigger the one-week data-deletion deadline.
  • Health Gorilla filed a motion to dismiss (February 26, 2026), which remains pending before the court.
  • Remaining defendants (RavillaMed, LlamaLab, SelfRx, Mammoth entities, Unit 387, and others) remain active defendants. No additional settlements have been announced.
  • The Particle Health v. Epic antitrust lawsuit (filed September 2024) is proceeding separately after a federal judge partially denied Epic's motion to dismiss in September 2025.
  • The Texas v. Epic antitrust lawsuit (filed December 2025) is in its early stages.
  • HHS/OCR has not announced a formal investigation or enforcement action related to the patient records disclosed in the Epic/Health Gorilla lawsuit as of this writing, though the lawsuit has prompted calls for regulatory review.

Conclusion: A Crisis of Trust in the Digital Healthcare System

The Epic/Health Gorilla case is a landmark moment in the ongoing struggle to protect patient privacy in a world of digitized, interconnected medical records. The fundamental promise of health data exchange — that sharing your records makes you safer and better cared for — depends entirely on every participant in the system honoring the rules and the trust that patients place in them.

The scheme described in this lawsuit — fake providers, shell websites, junk data inserted into your chart, your diagnosis sold to a law firm — represents a serious breach of that trust. The first court admission of wrongdoing, by GuardDog Telehealth, confirms that at least part of this scheme was real.

At the same time, patients deserve to understand the full picture: the same system that Epic is defending against bad actors is also one where Epic itself faces credible legal challenges about its own exercise of power over patient data. None of this is simple, and the courts will take time to sort it out.

What is not in dispute is this: your medical records contain some of the most sensitive information in your life. You have a legal right to know how they are used, and every company in the chain — from your doctor's EHR system to the networks that carry your records across the country — has a legal and moral obligation to protect them. The IPCSG will continue to monitor this case and bring you updates as they develop.

📑 Verified Sources & Formal Citations

  1. Stipulation Re: Judgment and Permanent Injunction, Epic Systems Corp. et al. v. Health Gorilla, Inc. et al., Case No. 2:26-cv-00321-FMO-RAO, Doc. 75 (U.S. District Court, Central District of California, filed March 13, 2026). Assigned to Hon. Fernando M. Olguin. Plaintiffs' counsel: Akin Gump Strauss Hauer & Feld LLP. GuardDog's counsel: Umhofer, Mitchell & King LLP. [Primary Court Filing — Authoritative Source]
    https://storage.courtlistener.com/recap/gov.uscourts.cacd.1002323/gov.uscourts.cacd.1002323.75.0.pdf
  2. Epic Systems Corporation. "Healthcare Providers and Epic Act to Safeguard Patients' Health Information." Epic.com Official Press Release, January 13, 2026.
    https://www.epic.com/epic/post/what-you-put-up-with-is-what-you-stand-for/
  3. Epic Systems Corporation. "Defendant GuardDog Telehealth Admits to Providing Patient Records to Law Firms." Epic.com Official Press Release, March 18, 2026.
    https://www.epic.com/epic/post/defendant-guarddog-telehealth-admits-to-providing-patient-records-to-law-firms-agrees-to-federal-court-injunction
  4. Trang, Brittany. "Epic says nearly 300,000 patient records were accessed illegally, in a new lawsuit." STAT News, January 13, 2026.
    https://www.statnews.com/2026/01/13/epic-health-gorilla-lawsuit-patient-records-health-data-interoperability/
  5. Trang, Brittany. "Epic says it has uncovered rot in patient record sharing. Will HHS act?" STAT News, March 23, 2026.
    https://www.statnews.com/2026/03/23/epic-systems-lawsuit-fraud-in-health-information-exchanges/
  6. Olsen, Emily. "GuardDog Telehealth admits to improper record sharing in Epic court case." Healthcare Dive, March 18, 2026.
    https://www.healthcaredive.com/news/guarddog-telehealth-admits-improper-record-sharing-epic-court-case/814715/
  7. Olsen, Emily. "GuardDog Telehealth, Epic reach agreement in ongoing fraud lawsuit over health records." Fierce Healthcare, March 18, 2026.
    https://www.fiercehealthcare.com/health-tech/guarddog-telehealth-epic-reach-agreement-ongoing-fraud-lawsuit-over-health-records
  8. MedCity News Staff. "Why The Epic-Health Gorilla Case Just Got Juicier." MedCity News, March 2026.
    https://medcitynews.com/2026/03/epic-health-gorilla-lawsuit-data/
  9. The Washington Post Staff. "Company admits to mining personal patient records for law firms." The Washington Post, March 18, 2026.
    https://www.washingtonpost.com/health/2026/03/18/digital-privacy-healthcare-epic-systems-lawsuit/
  10. Alder, Steve. "Epic Sues Health Information Exchange Network Alleging Improper Record Access." The HIPAA Journal, January 16, 2026 (updated March 18, 2026).
    https://www.hipaajournal.com/epic-sues-health-information-exchange-network-improper-record-access/
  11. Fox, Andrea. "Epic and health systems sue Health Gorilla and data companies." Healthcare IT News, January 13, 2026.
    https://www.healthcareitnews.com/news/epic-and-health-systems-sue-health-gorilla-and-data-companies
  12. Fox, Andrea. "Epic files to dismiss antitrust lawsuit." Healthcare IT News, December 20, 2024.
    https://www.healthcareitnews.com/news/epic-files-dismiss-antitrust-lawsuit
  13. Olsen, Emily. "Epic's lawsuit against Health Gorilla raises broader issues about the future of data sharing, industry executives say." Fierce Healthcare, January 20, 2026.
    https://www.fiercehealthcare.com/health-tech/epics-lawsuit-against-health-gorilla-raises-broader-issues-about-future-data-sharing
  14. Olsen, Emily. "Particle Health's antitrust lawsuit against Epic moves forward after judge denies full dismissal." Fierce Healthcare, September 2025.
    https://www.fiercehealthcare.com/health-tech/particle-healths-antitrust-lawsuit-against-epic-moves-forward-after-judge-dismisses
  15. MedCity News Staff. "Epic vs. Health Gorilla: Inside the Battle Over Who Controls Your Medical Records." MedCity News, January 30, 2026.
    https://medcitynews.com/2026/01/epic-health-gorilla-lawsuit-interoperability-data/
  16. MedCity News Staff. "Epic & Providers Sue Health Gorilla Over Alleged Data Exploitation." MedCity News, January 14, 2026.
    https://medcitynews.com/2026/01/epic-health-gorilla-data-privacy/
  17. Klootwyk, Rob (Epic) / Wisconsin Public Radio Staff. "Epic, health care providers sue over alleged misuse of patient records." Wisconsin Public Radio, January 14, 2026.
    https://www.wpr.org/news/epic-health-care-providers-sue-over-alleged-misuse-patient-records
  18. Alder, Steve. "Epic Systems Shuts off Access for Certain Particle Health Customers Over Patient Privacy Concerns." The HIPAA Journal, April 2024.
    https://www.hipaajournal.com/epic-systems-access-particle-health-patient-privacy-concerns/
  19. Farr, Christina. "Health records giant Epic cracks down on startup for unauthorized sharing of patient data." CNBC, April 12, 2024.
    https://www.cnbc.com/2024/04/12/epic-systems-boots-particle-health-for-unauthorized-sharing-of-data-.html
  20. Payerchin, Richard. "Epic EHR monopoly violates federal antitrust laws, hurting business and patients, lawsuit says." Medical Economics, September 24, 2024.
    https://www.medicaleconomics.com/view/epic-ehr-monopoly-violates-federal-antitrust-laws-hurting-business-and-patients-lawsuit-says
  21. Troutman Pepper Locke State Attorneys General Team. "Texas Takes Aim at Epic Systems in Sweeping Challenge to EHR Data Control." Regulatory Oversight, December 26, 2025.
    https://www.regulatoryoversight.com/2025/12/texas-takes-aim-at-epic-systems-in-sweeping-challenge-to-ehr-data-control/
  22. Keeler, Brendan. "The Particle v. Epic Casebook." Health API Guy (Substack), October 2025.
    https://healthapiguy.substack.com/p/the-particle-v-epic-casebook
  23. State of Surveillance Staff. "Epic Sues Health Gorilla: 300,000 Patient Records Sold to Lawyers." State of Surveillance, January 25, 2026.
    https://stateofsurveillance.org/news/epic-health-gorilla-patient-records-lawsuit-2026/
  24. HealthExec Staff. "Epic, provider groups sue companies over alleged scheme to sell patient data." HealthExec, January 14, 2026.
    https://healthexec.com/topics/healthcare-management/legal-news/epic-provider-groups-sue-companies-over-alleged-scheme-sell-patient-data
  25. HealthExec Staff. "Telehealth company admits to sharing medical records with law firms as Epic's lawsuit heats up." HealthExec, March 2026.
    https://healthexec.com/topics/healthcare-management/legal-news/telehealth-company-admits-sharing-medical-records-law-firms-epics-lawsuit-heats
  26. Virginia Lawyers Weekly Staff. "Company admits it diverted private patient records to law firms." Virginia Lawyers Weekly, March 19, 2026.
    https://valawyersweekly.com/2026/03/19/guarddog-rules-telehealth-patient-records-law-firms/
  27. Modern Healthcare Staff. "Epic, GuardDog reach agreement in ongoing Health Gorilla lawsuit." Modern Healthcare, March 2026.
    https://www.modernhealthcare.com/health-tech/mh-epic-systems-guarddog-health-gorilla-lawsuit/
  28. U.S. Department of Health and Human Services, Office for Civil Rights. "How to File a Health Information Privacy Complaint." HHS.gov.
    https://www.hhs.gov/hipaa/filing-a-complaint/index.html

This article was prepared for the Informed Prostate Cancer Support Group (IPCSG) Newsletter. It is intended for general patient education purposes only and does not constitute legal or medical advice. The IPCSG recommends that members with specific concerns about their privacy rights consult a qualified healthcare attorney. Information is current as of March 30, 2026.

Informed Prostate Cancer Support Group (IPCSG)  |  San Diego, California

Comments

Post a Comment

Popular posts from this blog

Dr. Christopher Kane of UCSD Health Appointed Chairman of the American Board of Urology

Image
  Dr. Christopher Kane of UCSD Health Appointed Chairman of the American Board of Urology SAN DIEGO, May 21, 2025 - Dr. Christopher Kane, a distinguished urologist and Professor of Urology at UC San Diego Health, has been appointed Chairman of the American Board of Urology (ABU), the organization announced today. Dr. Kane, who has served as CEO of UC San Diego Health Physician Group and Dean of Clinical Affairs at the UC San Diego School of Medicine, brings decades of experience in urologic oncology and leadership to this prestigious national position. Extensive Academic and Research Background Dr. Kane earned his medical degree from Uniformed Services University in Bethesda, Maryland, followed by a residency in urology at the Naval Medical Center San Diego and a fellowship in urologic oncology at the National Cancer Institute. He joined the UCSD faculty in 2007 after serving as a Navy physician for 12 years. As the C. Lowell and JoEllen Parsons Endowed Chair in Urology, Dr. ...
Read more

PSMA-Targeted Therapies for Prostate Cancer: Move Treatment Earlier in Disease Course

Image
  Interactive Graphic PSMA-Targeted Therapies for Prostate Cancer: Move Treatment Earlier in Disease Course Landmark FDA approval expands access to radioligand therapy while new research explores next-generation treatments By [Your Name] for the IPCSG Newsletter The landscape of prostate cancer treatment has undergone a seismic shift in recent months, with groundbreaking advances in prostate-specific membrane antigen (PSMA)-targeted therapies offering new hope to patients across different stages of the disease. Most significantly, the FDA's March 2025 expansion of Pluvicto (lutetium-177-PSMA-617) approval now allows treatment before chemotherapy, potentially tripling the number of eligible patients. Major FDA Approval Expands Treatment Access On March 28, 2025, the FDA approved a crucial expansion of Pluvicto's indication, allowing its use in patients with PSMA-positive metastatic castration-resistant prostate cancer (mCRPC) who have been treated with androgen recepto...
Read more

ASCO 2025: Non-Androgen-Receptor–Driven Prostate Cancer: Updates in Biology, Classification, and Management

Image
New Hope for Aggressive Prostate Cancer: Advances in Understanding and Treating Neuroendocrine Prostate Cancer Revolutionary diagnostic tools and promising new therapies offer renewed hope for patients with treatment-resistant disease What Patients Need to Know For most men with prostate cancer, treatments targeting the androgen receptor (AR) pathway—including hormone therapy and newer drugs like enzalutamide and abiraterone—are highly effective. However, as these treatments have become more successful, doctors have observed an important but concerning phenomenon: some cancers develop resistance by essentially changing their identity. This transformation, called neuroendocrine prostate cancer (NEPC), represents one of the most aggressive forms of the disease. At the recent 2025 American Society of Clinical Oncology (ASCO) Annual Meeting, Dr. Himisha Beltran from Dana-Farber Cancer Institute presented groundbreaking research that offers new hope for patients facing this challenging ...
Read more