Epic v. Health Gorilla: The legal battle and its implications, explained

Epic's claims

In addition to Epic, the lawsuit was filed by health IT provider OCHIN and health systems Trinity Health, UMass Memorial Health Care and Reid Health. The defendants include health tech companies Health Gorilla, RavillaMed, LlamaLab AI, GuardDog, Mammoth Rx, Myself.Health and Hoppr.

The lawsuit's chief allegation is that Health Gorilla, a designated QHIN under TEFCA, enabled Mammoth Rx, RavillaMed and other companies to improperly access and monetize the medical records of members of the Epic community by exploiting TEFCA and Carequality, two national interoperability frameworks that establish rules for exchanging clinical data.

In addition to Epic, the lawsuit was filed by health IT provider OCHIN and health systems Trinity Health, UMass Memorial Health Care and Reid Health. The defendants include health tech companies Health Gorilla, RavillaMed, LlamaLab AI, GuardDog, Mammoth Rx, Myself.Health and Hoppr.

According to Epic, Health Gorilla was involved in a scheme that allowed clients to masquerade as healthcare providers treating patients, turning "nationwide interoperability frameworks into data marts where sensitive patient information can be bought and sold without patient consent or their physicians' knowledge."

The lawsuit alleged that the defendants obscured their true purpose through shell entities, fictitious websites and fake National Provider Identification numbers. What's more, Epic claimed that the companies tried to avoid detection by injecting clinically useless documents into interoperability frameworks to make it look like they were treating patients.

In a notable example, the filing detailed the alleged actions of RavillaMed, a company that offers chronic care management services. According to the lawsuit, RavillaMed's website raised red flags by offering minimal information about how it delivers its services and featuring stock photographs and generic healthcare statements.

What's more, the website omitted important contact information, presenting questions about "the existence or extent of RavillaMed's actual treatment of patients."

In August 2025, RavillaMed allegedly obtained more than 17,000 patient records from the Epic community alone, followed by another 10,000 in October 2025. Despite the high request volume, RavillaMed sent far fewer patient records back to providers than it took, the filing stated.

"This non-reciprocal exchange pattern between RavillaMed and healthcare providers using Epic is atypical for a healthcare provider and presents another red flag that the purported healthcare provider (RavillaMed) did not actually provide treatment," Epic said.

Health Gorilla's role in the health data exchange ecosystem is to aggregate fragmented medical records from providers, labs and pharmacies into a comprehensive patient profile on its health data interoperability platform. As a framework implementer, the company has a responsibility to vet participants and ensure that those participants use the framework for the legitimate purpose of providing patient treatment.

"They are supposed to protect the sanctity of the frameworks and stop bad actors from infiltrating it or abusing it under false pretenses," the filing stated.

Beyond the specific actions of the alleged bad actors, Epic expressed concern about what the alleged scheme and its fallout could mean for health data privacy and interoperability as a whole. Providers need to know they can promise their patients privacy and that key interoperability mechanisms can be relied upon.

The filing asserted that "if the bad actors exploiting data access are not stopped, nationwide interoperability is at risk."

Health Gorilla's initial response

There are two sides to every story, and Health Gorilla was quick to respond to Epic's lawsuit with its own viewpoint.

"We categorically reject these allegations, and we are fully prepared to defend our conduct," Bob Watson, CEO and executive chairperson at Health Gorilla, said in a Jan. 27, 2026, statement in response to the lawsuit. "Epic's lawsuit not only fails to provide all the facts, but reflects an irresponsible use of litigation as a weapon rather than to advance serious claims."

From Health Gorilla's perspective, Epic's claims are misleading. Watson stated that when Health Gorilla learned of the allegations Epic raised, it immediately suspended the connections in question and launched an investigation, which is ongoing.

"Meanwhile, when it comes to interoperability, Epic has done the equivalent of shouting 'fire' in the middle of a crowded theater," Watson said.

Watson asserted that Health Gorilla has only ever operated in conformance with applicable laws and industry norms, and that Epic misunderstands Health Gorilla's role in connecting providers with data.

In February, Health Gorilla filed a motion to dismiss the litigation, arguing that the lawsuit relies on facts that Health Gorilla voluntarily provided to Epic to support its investigations into certain network participants. Rather than resolve issues behind closed doors, Epic "sought to escalate what is fundamentally a healthcare governance dispute into a federal action and smear campaign," Health Gorilla stated.

Health Gorilla framed the lawsuit as part of a "pattern of conduct by Epic to deter both its competitors and customers from embracing innovation in interoperability, which undermines the framework and risks a more efficient, safer healthcare system."

Essentially, Health Gorilla is taking issue with what it perceives as Epic's attempt to limit competition and restrict access to health care data, raising concerns about monopolistic practices.

However, one thing both parties seem to agree on is that this case will have lasting effects on nationwide interoperability efforts.

"Health Gorilla will defend itself, but we're also defending something larger. Interoperability only works when those who participate in it do so in good faith. Health Gorilla has. It is time for Epic to do the same," Watson said.

GuardDog settlement

The legal battle intensified in March, when GuardDog Telehealth, a Health Gorilla client and one of the defendants, filed a stipulated judgment admitting that it had fraudulently requested patient data.

GuardDog stated that while "its goal was to provide chronic care management and remote patient monitoring for patients," that "did not happen."

"For the duration of its existence, its business instead focused on requesting, reviewing, and summarizing medical records, and providing those medical records to law firms," the stipulated judgment stated.

GuardDog admitted that its predecessor company, Critical Care Nurse Consulting, similarly provided medical records to law firms from 2022 to 2024.

The company also said it believed it was permissible to request medical records through Carequality and provide them to law firms, and that it "understood and believed that Health Gorilla was aware of GuardDog's business activities in requesting, reviewing, and summarizing medical records, and providing those medical records to law firms."

If the judgment is approved by a judge, GuardDog will be permanently barred from participating in TEFCA and Carequality and must delete any patient health information it previously obtained from the frameworks. GuardDog will also be released from the lawsuit if the judge agrees to the stipulated judgment.

Following GuardDog's admission, Health Gorilla released a statement, saying that "GuardDog's consent judgement has no legal impact on Health Gorilla, and is incomplete at best and misleading at worst."

"If you read carefully, GuardDog does not state it ever informed Health Gorilla of any non-treatment use of patient information, and we are prepared to demonstrate it did not," Health Gorilla said.

Days later, Health Gorilla teamed up with GuardDog to publicly release a 2025 case study -- which the companies had developed together for marketing purposes -- to support its claims that GuardDog had consistently represented to Health Gorilla that its services were for treatment purposes.

"The patients whose records we queried provided HIPAA authorizations and we understood that the reason for querying their records was to assist in providing treatment to each patient, regardless of whether the patient had hired a law firm to represent them,"  Justine Hanna, co-owner of GuardDog, said in a joint press release by GuardDog and Health Gorilla. "We always represented to Health Gorilla that our services were for treatment purposes and they were."

Health Gorilla said it had 21 recorded meetings with GuardDog, wherein GuardDog made the same claims.

To Geisting, the GuardDog settlement signified a clear turning point in the case.

"The settlement assigns a named entity to what the lawsuit is alleging," he said. "Not only does that, from a practical standpoint, renew attention on the case as it's played out, but it also makes various participants across all points of the healthcare ecosystem stop and maybe think about whether they have interacted with, if not GuardDog, other entities that maybe could be doing similar things."

Health Gorilla's response was also telling, Giesting said, as it shows that the company is planning to continue its defense and distance the GuardDog settlement from its own legal arguments.

What the case signals for the future of interoperability

Though it is still early in the legal proceedings, this case has several implications for healthcare interoperability, Giesting said.

"One of the reminders that this brings forth is that this data has value to lots of folks for reasons that are not allowed under HIPAA. The value of this data is far-reaching, and it expands far beyond patient care. It clearly has value for lots of different third parties and entities that are maybe less interested in care coordination and more interested in a financial motive," he said.

In addition to exposing potential vulnerabilities in the nationwide interoperability frameworks, Giesting suggested that the litigation could have a chilling effect, slowing interoperability efforts as entities figure out how to operate within these frameworks.  

"Big providers, payers, they're all watching this and all probably figuring out, where do we stand currently based on the arguments on one side or the other? What's our position going to be? Do we need to make a decision now? Do we need to watch and wait?" Giesting noted.

Giesting predicted that as interoperability frameworks continue to evolve, a trust-but-verify approach could help ensure that all key players understand the rules.

As providers and payers think about their next moves, Epic is continuing its efforts to advance the case toward a jury trial.

"This is an important lawsuit and potentially a watershed moment, depending on how things play out," Giesting said. "It could influence how all of these different private equity-backed companies participate in the ecosystem and the rules that they need to abide by."

Jill Hughes has covered health tech news since 2021. Her coverage areas include cybersecurity, HIPAA compliance, interoperability, AI and EHRs.