Major Lawsuit Aims at Alleged ‘Sham’ Providers in Data HIE

Electronic health records leader Epic Systems has initiated a lawsuit against Health Gorilla, alleging that the latter has permitted illegitimate companies—disguised as healthcare providers—to gain unauthorized access to digital patient records from national health data exchange platforms. Epic claims that Health Gorilla’s actions have facilitated improper access to nearly 300,000 patient medical records under the false premise of treatment.

The lawsuit, filed in a federal court in Los Angeles, accuses Health Gorilla of enabling these so-called “sham medical practices” to unlawfully market access to attorneys seeking class action lawsuit plaintiffs. Additionally, several co-defendants are named in the complaint, including Mammoth and RavillaMed. Epic, alongside four healthcare organizations, maintains that patients’ sensitive data has been compromised due to Health Gorilla’s inadequate oversight in managing network participants.

The lawsuit highlights that Health Gorilla, a Florida-based entity, has engaged in practices that jeopardize patient privacy and trust. “These bad actors have accessed and monetized countless patient records,” argues Epic, which filed the lawsuit in conjunction with health IT consultancy OCHIN and multiple healthcare provider organizations such as UMass Memorial Health Care, Trinity Health, and Reid Hospital and Health Care Services.

Epic asserts that Health Gorilla, as a provider of an interoperability platform and a Qualified Health Information Network under the Trusted Exchange Framework and Common Agreement, holds a crucial responsibility in ensuring that only legitimate entities gain access to sensitive clinical data. “The implementers of these frameworks must conduct thorough vetting to guarantee their participants are utilizing access for appropriate clinical purposes,” the complaint states.

In response, Health Gorilla has categorically denied Epic’s claims, suggesting that the lawsuit represents an attempt by the EHR giant to suppress competition in the industry. “These allegations resonate with broader concerns regarding monopolistic practices in health information exchange, and Health Gorilla advocates for fair access to healthcare data,” the company stated in its rebuttal.

The situation raises significant concerns about the governance of health data interoperability and the need for robust oversight mechanisms. Experts note that the incident underscores the risks associated with breaches of trust between participants in health data exchange networks. It serves as a critical reminder that effective governance is essential for mitigating insider threats and ensuring the integrity of patient data.

Legal professionals and healthcare security experts emphasize that health data exchange participants should undergo rigorous vetting through formal governance processes. Access to sensitive health information necessitates ongoing oversight and should not be taken lightly, particularly given the potential for misuse once data leaves the originating system. Consequently, accountability becomes increasingly complex when participants exploit data for unauthorized purposes.

As businesses continue to navigate the intricacies of health data interoperability, clarity in governance and active monitoring will be paramount in safeguarding patient information while fostering innovation in health IT.