A defendant in the lawsuit brought by Epic accusing health information network Health Gorilla and several of its clients of improperly accessing patient records has admitted to fraudulently requesting patient data, according to a new legal filing released Friday.
Beginning in 2024, GuardDog Telehealth — a client of Health Gorilla — improperly accessed patient records in order to provide them to law firms, while falsely asserting it was using the data to treat patients, according to the filing.
Although GuardDog’s goal was to “provide chronic care management and remote patient monitoring for patients” that “did not happen,” according to the filing. Instead, GuardDog used the guise of its business to request, review and summarize medical records to give to law firms.
GuardDog also said it believes Health Gorilla was aware of its sham business.
The filing is an agreement between Epic and GuardDog called a stipulated judgment and permanent injunction. If the filing is certified by a judge, GuardDog will be permanently barred from requesting data through two of the largest interoperability frameworks in the country — TEFCA and Carequality. The company would also be required to delete any patient health information obtained from the frameworks.
Health Gorilla called GuardDog’s judgment “incomplete at best and misleading at worst.”
“If you read carefully, GuardDog does not state it ever informed Health Gorilla of any non-treatment use of patient information, and we are prepared to demonstrate it did not,” the company said in a statement to Healthcare Dive, HR Dive’s sister publication. Health Gorilla added that GuardDog did not respond and refused to cooperate when Health Gorilla attempted to investigate it.
“Epic’s lawsuit remains an attack on interoperability that threatens patient safety and efficient healthcare nationwide, made worse by misleading submissions like its agreement with GuardDog,” Health Gorilla said.
It’s a win for Epic, which in January filed a lawsuit accusing Health Gorilla of allowing healthcare companies to retrieve patient records and monetize them, including providing the data to lawyers for class-action lawsuits without consent from patients.
Central to the case is the interplay between companies that facilitate the exchange of medical records, in order for doctors to have ready access to patient data.
The companies, called health information networks, contract with providers, who are able to share medical records on patients who may have received care from another clinician. Health information networks participate under interoperability frameworks, like the Trusted Exchange Framework and Common Agreement — known as TEFCA — and Carequality, which set rules for data sharing and facilitate who participates.
Because patient data is sensitive, health information networks like Health Gorilla and Epic are responsible for vetting potential provider clients who want to retrieve patient records. The vetting is important because providers are largely required by law to share medical records with each other.
Epic’s lawsuit alleges that Health Gorilla didn’t properly vet its clients, some of which may be masquerading as providers in order to access medical records to sell them to third-party companies, like law firms, without a patient’s consent.
The filing also says GuardDog’s predecessor company, Critical Care Nurse Consulting, provided medical records to law firms in a similar way from 2022 to 2024.
GuardDog says that another defendant in Epic’s lawsuit masked itself as CCNC in order to also request medical records. Unit 387, an intermediary data broker onboarded to Carequality by Health Gorilla, masked itself as its customer CCNC in order to request medical records without CCNC’s knowledge, according to the filing.
GuardDog said that it didn’t discover the full extent of the records requested by Unit 387 under its credentials until last year.
Customers of Unit 387’s include CCNC and another defendant in the lawsuit, SelfRx, according to the lawsuit.
In its original complaint, Epic said it believed Unit 387 sold medical record data for profit, either directly or through its customers. Epic said it flagged unusual medical data retrieval patterns from Unit 387’s customers, including CCNC and SelfRx, that suggested “no treatment” was being provided.
Unit 387 could not be reached for comment.
GuardDog will be released from the ongoing lawsuit if a judge agrees to the stipulated judgment.
A spokesperson for Epic said the agreement could incentivize other defendants to enter into more stipulated judgments with Epic, and that the company would welcome discussions.
