GuardDog Telehealth, the defendant in Epic’s high-profile lawsuit over alleged misuse of patient data, has admitted to accessing patient medical records under false pretenses in order to provide information to a law firm.
The telemedicine company made this concession as part of a consent agreement it entered into with Epic and its co-plaintiffs in the lawsuit to get out of the lawsuit.
In its legal filing (link to PDF), GuardDog acknowledged that “since it began operating as a company in 2024, its goal has been to provide chronic care management and remote patient monitoring to patients, which has not materialized.” Instead, GuardDog’s business is “focused on requesting, reviewing, and summarizing medical records, and providing those records to law firms,” and it said it gained access to those medical records through the Care Quality Framework “by asserting the therapeutic purpose of those records.”
In January, electronic medical records giant Epic and a group of healthcare providers filed a lawsuit against Health Gorilla and several of its customers, alleging that the company illegally accessed and monetized patient medical records.
In a lawsuit filed in California District Court, Epic and the providers allege that Health Gorilla and its customers abused a national interoperability framework, the Quality of Care and Trusted Exchange Framework and Common Agreement (TEFCA).
The lawsuit was filed on January 12 by Epic, Reid Health, Trinity Health, UMass Memorial Health, and OCHIN, a healthcare IT solutions provider and consulting firm. Epic and healthcare providers say they are taking legal steps to protect patient privacy and protect sensitive medical information.
Epic and the other plaintiffs seek immediate relief for fraud, aiding and abetting fraud, breach of contract and violations of the California Business and Professions Act, as well as violations of the federal Computer Fraud and Abuse Act.
In a consent decree filed Friday, GuardDog acknowledged that some of the records it accessed on behalf of the law firm may have been patient medical records of OCHIN and Epic’s healthcare provider clients, including plaintiffs Reid Health, Trinity Health Corporation, and UMass Memorial Health Care, Inc.
And the telemedicine company said it believes health information network Health Gorilla is aware of GuardDog’s business activities in providing these medical records to law firms. The company also said it believes it is permissible for Guard Dogs to request medical records through the Care Quality Framework for treatment purposes and share those records with law firms, “based on conversations and representations with Meredith Manak of Troop 387 and Health Gorilla representatives.”
It also acknowledged that its predecessor, Critical Care Nurse Consulting, had been doing the same thing since 2022.
Health Gorilla, as a gateway to TEFCA and Carequality, enabled health tech companies Mammoth, RavillaMed, LlamaLab, Unit 387, SelfRx, GuardDog and others to illegally access and monetize approximately 300,000 patient medical records from members of the Epic community, according to a lawsuit filed by Epic and providers. “This is in addition to an unknown number of records obtained from organizations across the country, including the Department of Veterans Affairs and other EHR-using providers,” Epic said in a press release about the lawsuit.
Epic alleges that Health Gorilla and the health tech company requested patient records for the purpose of treating patients, but used those patient records for other purposes, including marketing to attorneys seeking potential claimants with certain conditions or diagnoses that would qualify them to participate in mass tort class actions.
This new filing represents a stipulated judgment and permanent injunction agreement between GuardDog Telehealth and Epic. If the judge overseeing the case approves the ruling, GuardDog Telehealth will be permanently barred from requesting records using the TFCA or Carequality interoperability frameworks. The company will also be required to delete any patient health information or records obtained from the framework and will be prohibited from “further use or distribution of any patient health information or records” obtained.
GuardDog’s lawyers told Reuters in a statement that the company “has always maintained that it acts in good faith with the goal of maximally supporting patient care, whether or not the patient is involved in the legal system.”
Epic said in a statement that litigation continues against Health Gorilla and the remaining defendants.
Health Gorilla argued that the consent decree had “no legal impact” on the company, calling the ruling “incomplete at best and misleading at best.”
“GuardDog has stated that it has never notified Health Gorilla of its non-therapeutic use of patient information, and we are prepared to prove that it did not. Furthermore, when Health Gorilla attempted to investigate GuardDog with the Interoperability Network and several large healthcare providers, GuardDog was unresponsive and refused to cooperate,” the company said in a statement (link to PDF).
Health Gorilla claims that Epic’s lawsuit is an “attack on interoperability that threatens patient safety and efficient health care across the country, made worse by misleading filings like the agreement with GuardDog.”
“Health Gorilla remains fully compliant with all applicable data sharing frameworks and remains confident that we will address these claims through the legal process,” the company said.
After the lawsuit was filed in January, Health Gorilla said it “categorically” denied the allegations. The medical data network argued that the lawsuit is “another example of Epic’s exclusionary practices that restrict competition and limit access to medical data.”
In another development, on the day the stipulated agreement between GuardDog Telehealth and Epic was filed in court, UPMC issued a notice saying patient records may have been “unauthorizedly accessed” by a “national network used for health information exchange.”
“A network named ‘Health Gorilla’ electronically requested information and claimed to have permission to do so under the pretext of providing care to shared UPMC patients. A national network allows health care providers to exchange information for the treatment of patients. UPMC is required to join this national network,” the health system said in an online statement.
UPMC said its electronic health records vendor, Epic, notified the health system of suspected unauthorized access to patient medical records.
UPMC said the information accessed did not include Social Security numbers, but may have included name, age, diagnosis and medical history information.
The health system reported the incident to the U.S. Department of Health and Human Services Office for Civil Rights.
