One of the world’s largest providers of medical records software is headed to court over alleged unauthorized and improper sale of patient medical data to attorneys by third parties that fraudulently obtained access to its systems.
Epic Systems alleges several different companies falsely presented themselves as health care providers to access private medical data. The company has been in business since 1979 and holds records for over 300 million patients.
Fake health care providers sought medical data for lawsuits
By and large, the companies that Epic is suing seemed to be seeking medical data to sell to attorneys looking to establish mass tort cases involving many patients suffering similar injuries or conditions. In total the companies accessed 300,000 medical records under these alleged false pretenses.
One of the named companies, calling itself RavillaMed, claimed that it needed patient medical data to provide treatment. Instead, it was allegedly passed on to a record-selling storefront called LlamaLab that specializes in providing attorneys with potential tort cases. The suit alleges several other companies were engaged in similar behavior. Epic is seeking an order that bars these companies from requesting patient medical data going forward, as well as an unspecified amount of damages due to reputational harm and cost of mitigation of the unauthorized access.
Both RavillaMed and another named company, Mammoth Path Solution, were able to get access to this sensitive medical data by working through a health information network called Health Gorilla that is part of the federal Trusted Exchange Framework and Common Agreement. Members of this are vetted with security and technology testing before being given access to a massive network of other qualified health information providers, with the aim of the initiative to speed up information sharing for the sake of expedited patient care.
Epic is alleging that Health Gorilla was negligent in allowing these fraudulent patient care fronts to onboard as legitimate customers. When pressed, the Health Gorilla clients named in the lawsuit were unable to demonstrate clinical value and in some cases had fake National Provider Identifier numbers.
Mass tort cases can be worth tens of billions of dollars
Mass tort cases can be huge business when large companies are the target, with the highest dollar value cases ranging from hundreds of thousands to tens of billions of dollars in damages. So it is no surprise that there are some shady elements looking to feed information to attorneys, who would otherwise have to find eligible pools of plaintiffs via slower means such as individual surveys and interviews. Epic’s filing notes that one of the companies that ultimately received medical data, Integritort, had been previously banned from accessing information sharing systems in 2024 under accusations of using records for non-treatment purposes.
The Epic lawsuit also notes that when the individual “false front” health providers that sneak into accessing medical data are confronted and challenged, they sometimes simply disband and form a new entity that continues doing the same sort of business. There may well be some patients out there that are interested in joining a mass tort suit, but they have to give up frightening amounts of their sensitive medical data to these shady entities to be contacted this way: mental health conditions, genetic information, reproductive care, and sexual health among other possibilities.
Any company that participates in the national information sharing networks (Carequality and TEFCA) that this medical data is drawn from is not just supposed to be vetted by a process that includes testing, but also agrees to be bound by both HIPAA law and state regulations that govern patient records. But this has proven insufficient to stop bad actors that do not seem to care about the law; in some cases these fake service providers will inject equally fake junk data into patient records to make it appear as if treatment was actually provided, something that can complicate actual treatment down the road. Patients are not only unaware that this is happening, but have no real means by which to see what sorts of firms of this type have accessed their records should they want to investigate.
One issue with the process is that these shady outfits seem to proactively establish multiple identities with the more trusted clearinghouses up the chain (such as Health Gorilla). These business entities initially behave themselves to establish trust; one at a time is then used to harvest medical data, and when the heat is turned on them they simply abandon that identity and move to one of the other previously established ones. The Epic suit alleges fraud, aiding and abetting fraud, breach of contract, and violations of the Federal Computer Fraud and Abuse Act. If the suit ultimately prevails, the ruling could establish a precedent that puts an end to these shady firms.
