In a significant escalation of a legal battle that could redefine the boundaries of healthcare data exchange in the United States, Health Gorilla has officially filed a motion to dismiss a lawsuit brought by Epic Systems and several prominent healthcare providers. The motion, filed in the U.S. District Court for the Central District of California, characterizes Epic’s litigation as an "attack on interoperability" and argues that the dispute should be resolved through established industry governance frameworks rather than federal court proceedings. This legal maneuvering follows a series of allegations that Health Gorilla facilitated the improper access and monetization of hundreds of thousands of patient records, a charge the data network denies.
The conflict centers on the tension between the federal mandate for seamless healthcare data sharing and the critical need to protect patient privacy from commercial exploitation. As the healthcare industry moves toward universal interoperability, this case highlights the unresolved ambiguities in how data exchange is governed and who bears responsibility when data is accessed for purposes other than direct clinical care.
The Core of the Litigation: Allegations of Fictitious Providers and Data Diversion
The original complaint, filed on January 13, 2025, by Epic Systems alongside Trinity Health, UMass Memorial Health, Reid Health, and OCHIN, paints a picture of a sophisticated scheme designed to bypass the security protocols of national health information exchanges. According to the plaintiffs, Health Gorilla provided a gateway for a network of entities to inappropriately access and monetize approximately 300,000 patient medical records.
The plaintiffs allege that Health Gorilla allowed a cluster of small telehealth and data companies—many of which were allegedly linked to the same founders and operators—to pose as legitimate healthcare providers. The lawsuit claims these entities utilized fictitious provider names, shell websites, and fraudulent National Provider Identifiers (NPIs) to request patient data under the guise of "treatment purposes." Once obtained, the plaintiffs allege the data was diverted for non-treatment uses, specifically for marketing to law firms seeking potential claimants for mass tort litigation.
A particularly alarming aspect of the complaint involves the alleged insertion of "junk" information into patient records. Epic and the health systems claim that the defendants added fabricated clinical notes to hide their activity and maintain the appearance of genuine care delivery. This practice, the plaintiffs argue, not only wasted the time of clinicians who had to sift through the data but also posed a direct risk to patient safety by polluting medical histories with inaccurate information. The lawsuit describes the network of companies as a "Hydra," suggesting that when one fraudulent entity was identified and blocked, the operators would simply create a new shell company to resume the same conduct.
Health Gorilla’s Defense: Interoperability and Procedural Challenges
In its motion to dismiss, Health Gorilla has mounted a vigorous defense, shifting the focus from the alleged data misuse to the motivations of the plaintiffs and the appropriate venue for such disputes. The company maintains that it has been a cooperative participant in national data sharing and that Epic’s lawsuit is a strategic move to suppress competition.
Health Gorilla’s legal team argues that the case should be dismissed because the plaintiffs failed to exhaust the administrative and governance remedies built into the data exchange networks themselves. Most national data exchanges, including those operating under the Trusted Exchange Framework and Common Agreement (TEFCA), have specific dispute resolution processes designed to handle claims of non-compliance or improper access. By bypassing these protocols, Health Gorilla asserts that Epic is undermining the very systems designed to ensure stable and secure data flow.
Furthermore, Health Gorilla’s motion addresses the "lack of actual knowledge" regarding the alleged wrongdoing. The company contends that it operated in good faith and cooperated with internal investigations into the matter for several months before the lawsuit was filed. In a sharply worded statement included in the motion, Health Gorilla suggested that Epic is using the litigation as a "distraction" from its own regulatory scrutiny. The motion states that Epic seeks to "paint itself as a good actor" to deflect from "sustained criticism and inquiry from regulators and private plaintiffs for its widespread unfair business practices."
The Broader Context: A Two-Front Legal War for Epic
The lawsuit against Health Gorilla does not exist in a vacuum. It is part of a broader landscape of litigation involving Epic Systems, the nation’s largest electronic health record (EHR) vendor, which currently holds nearly 36% of the U.S. acute care hospital market share. Epic is simultaneously defending itself in a high-profile antitrust lawsuit filed by Particle Health in September 2024.
In the Particle Health case, the data platform alleges that Epic is using its market dominance to stifle competition in the emerging payer-facing platform space. Particle Health claims that Epic has imposed technical and contractual barriers that prevent rivals from accessing necessary patient data, effectively creating a monopoly. A federal judge recently allowed that antitrust lawsuit to proceed, signaling that the courts are increasingly willing to examine the power dynamics of healthcare data gatekeepers.
The juxtaposition of these two cases highlights a complex irony: in one courtroom, Epic is accused of being a "data blocker" that prevents competition; in another, it is the primary plaintiff, accusing others of exploiting the very "openness" it is criticized for restricting. Industry analysts suggest that these legal battles are a symptom of a transition period in healthcare IT, where the rules of the road for data exchange are still being written by judges rather than regulators.
Chronology of the Dispute and Interoperability Milestones
The timeline of these legal developments reflects the accelerating pace of health data integration and the friction it generates:
- September 2024: Particle Health files an antitrust lawsuit against Epic Systems, alleging "data blocking" and anti-competitive behavior.
- January 13, 2025: Epic and several health systems file a lawsuit against Health Gorilla, alleging the fraudulent access of 300,000 patient records via shell companies.
- September 2025: A federal judge denies Epic’s initial attempt to dismiss the Particle Health antitrust suit, allowing the case to move forward.
- February 26, 2026: Health Gorilla files its motion to dismiss Epic’s lawsuit, calling it an "attack on interoperability."
This chronology coincides with the rollout of TEFCA, the federally recognized framework for nationwide health information exchange. TEFCA aims to establish a "floor" for interoperability, but the Epic vs. Health Gorilla case suggests that the "ceiling" for what constitutes acceptable data use remains poorly defined.
Supporting Data: The Rising Stakes of Data Exchange
The scale of healthcare data exchange in the U.S. has reached unprecedented levels. According to the Office of the National Coordinator for Health Information Technology (ONC), over 95% of hospitals and 80% of office-based physicians currently use certified EHR technology. The volume of data moving through networks like Carequality and CommonWell—both of which are central to the Health Gorilla dispute—is measured in billions of transactions annually.
However, the monetization of this data has become a multi-billion-dollar industry. Data brokers and legal marketing firms frequently seek access to clinical data to identify potential plaintiffs for high-value lawsuits related to pharmaceuticals, medical devices, or environmental hazards. While the 21st Century Cures Act was intended to prevent "information blocking," it did not explicitly address the nuances of "secondary use"—the use of data for purposes other than direct clinical care.
The "300,000 records" cited in the Epic lawsuit represents a significant breach of trust for the affected patients. Industry surveys consistently show that while patients support data sharing for their own treatment, they remain highly skeptical of third-party access. A 2023 study found that nearly 70% of patients were "very concerned" about their medical records being sold or used for marketing purposes without their explicit consent.
Official Responses and Expert Analysis
The reaction from the parties involved underscores the philosophical divide in the industry. An Epic spokesperson, in a statement provided to the media, emphasized the fiduciary responsibility of data networks. "Medical records are deeply personal and exploiting them is wrong," the spokesperson said. "Health Gorilla had a responsibility to safeguard sensitive patient data and know why it was being taken. The public deserves a complete investigation and resolution in federal court rather than behind closed doors."
Conversely, proponents of Health Gorilla’s position argue that holding a network responsible for the actions of its individual users could create a "chilling effect" on interoperability. If networks face massive federal litigation every time a user misrepresents their intent, they may become overly restrictive, inadvertently leading to the very data blocking that federal regulators are trying to eliminate.
Legal experts suggest that the outcome of the motion to dismiss will hinge on the court’s interpretation of "treatment purposes." Under HIPAA, data can be shared for treatment, payment, and operations without specific patient authorization. If the court finds that the shell companies’ activities were clearly outside the scope of "treatment," Health Gorilla’s "lack of knowledge" defense will be put to a rigorous test.
Implications for the Healthcare Industry
The resolution of this case will likely have far-reaching implications for the future of healthcare interoperability:
- Standardization of Identity Verification: The case may force the industry to adopt more rigorous standards for verifying the identity of "providers" on data networks, moving beyond simple NPI checks to more robust multi-factor authentication and organizational vetting.
- Clarification of Secondary Use: Regulators may be pressured to provide clearer guidance on what constitutes "treatment purposes" versus "commercial exploitation," potentially leading to updates in the 21st Century Cures Act or HIPAA regulations.
- Governance vs. Litigation: If the court grants the motion to dismiss, it will reinforce the authority of network governance bodies (like the Sequoia Project or QHINs under TEFCA) to police their own members. If the motion is denied, it opens the door for a new wave of federal litigation over data exchange practices.
- Security and Data Integrity: The allegation of "junk data" insertion highlights a new cybersecurity threat—not just data theft, but data corruption. Ensuring the integrity of the clinical record during transit will become a top priority for EHR vendors and health systems.
As the legal proceedings continue, the healthcare industry remains at a crossroads. The promise of a fully interoperable healthcare system depends on trust between providers, vendors, and patients. The battle between Health Gorilla and Epic Systems serves as a stark reminder that in the digital age, the flow of information is only as strong as the safeguards protecting it.
