Epic, health systems file lawsuit alleging HIE exploitation

Epic, along with four healthcare organizations, is suing Health Gorilla, RavillaMed, LlamaLab AI and others, claiming that these companies are using health information exchange, or HIE, frameworks to steal sensitive patient health information for financial gain.

According to the lawsuit shared with Health IT and EHR, these companies are exploiting nationwide interoperability frameworks, like Carequality and TEFCA, and turning them "into data marts where sensitive patient information can be bought and sold without patient consent or their physicians' knowledge."

Epic claimed that the defendants accessed and monetized nearly 300,000 patient medical records, in addition to an unknown number of records from provider organizations using other EHRs, including the Veterans Administration (VA).

The suit alleges that Health Gorilla, which is an "implementer" of interoperability frameworks, is involved in a scheme in which it allows its clients to access patient records under the false pretense of providing patient care.

The suit states that in many cases, defendants, including RavillaMed and others, asserted that they are healthcare providers and requested patient records. They then used these medical records for various illicit purposes, including marketing them to lawyers seeking people with specific conditions and diagnoses that would qualify them to join class-action lawsuits. The companies allegedly hid behind fictitious websites, shell entities and sham National Provider Identification numbers.

Additionally, the lawsuit states that the defendants also attempted to evade detection by adding clinically useless documents into interoperability frameworks, "giving the false impression that they are treating patients, which risks patient safety and wastes valuable clinician time."

Further, the plaintiffs allege that when the defendants were caught, the owners and operators created new companies to continue their fraudulent activities.

"The scheme thus operates like a Hydra: when one fraudulent entity is exposed, the bad actors birth a new one," the suit states.

The other plaintiffs in the suit are OCHIN, a nonprofit research and innovation network, and health systems Reid Health, Trinity Health and UMass Memorial Health.

The lawsuit comes amid a federal push toward interoperability. In July 2025, CMS secured voluntary commitments from technology companies, health systems, app developers and payers to participate in its Health Technology Ecosystem. Health Gorilla and Epic both committed to the initiative. One of its goals is to establish an interoperability framework.

Health IT and EHR has reached out to Health Gorilla for comment.

Anuja Vaidya has covered the healthcare industry since 2012. She currently covers the virtual healthcare landscape, including telehealth, remote patient monitoring and digital therapeutics.