Epic’s
high-profile
lawsuit
over
the
alleged
misuse
of
patient
data
just
scored
its
first
major
concession.
Last
Friday,
GuardDog
Telehealth
—
one
of
the
defendants
accused
of
exploiting
interoperability
networks
to
obtain
people’s
health
information
—
admitted
in
a
legal
filing
that
it
falsely
represented
itself
as
providing
treatment
in
order
to
access
medical
records.
Epic’s
complaint,
filed
January
13,
claims
that
Health
Gorilla
enabled
other
companies
to
inappropriately
access
and
monetize
nearly
300,000
patient
medical
records.
Health
Gorilla
has
denied
the
allegations.
The
plaintiffs
are
Epic,
Trinity
Health,
UMass
Memorial
Health,
Reid
Health
and
OCHIN.
They
allege
that
Health
Gorilla
and
a
network
of
other
companies
set
up
fictitious
healthcare
providers,
shell
websites
and
fake
provider
IDs
to
make
it
look
like
records
requests
were
for
real
treatment
purposes.
Instead,
the
data
was
allegedly
diverted
for
non-treatment
uses
—
such
as
marketing
to
lawyers
seeking
potential
claimants
for
lawsuits.
GuardDog
is
one
of
the
other
companies
involved
in
the
network,
and
the
rest
are
a
cluster
of
small
telehealth,
data
and
shell
companies
—
many
allegedly
linked
to
the
same
founders
and
operators
—
that
the
plaintiffs
say
were
used
to
pose
as
legitimate
providers.
The
complaint
also
stated
that
the
defendants
inserted
“junk”
information
into
records
to
hide
their
activity
and
give
the
appearance
of
genuine
care,
which
in
turn
risked
patient
safety
and
wasted
clinician
time.
When
one
fraudulent
entity
was
exposed,
the
same
actors
allegedly
created
new
companies
to
continue
the
same
conduct,
operating
“like
a
Hydra,”
according
to
the
lawsuit.
On
February
26,
Health
Gorilla
then
filed
a
motion
to
dismiss
a
lawsuit,
calling
it
“an
attack
on
interoperability.”
About
two
weeks
later,
GuardDog
threw
an
even
bigger
wrinkle
in
the
case
by
admitting
in
a
court
filing
that
it
misrepresented
its
services
to
obtain
patient
records.
“GuardDog
admits
that,
since
it
began
operating
as
a
company
in
2024,
its
goal
was
to
provide
chronic
care
management
and
remote
patient
monitoring
for
patients,
but
that
did
not
happen.
For
the
duration
of
its
existence,
its
business
instead
focused
on
requesting,
reviewing,
and
summarizing
medical
records,
and
providing
those
medical
records
to
law
firms,”
the
filing
read.
As
part
of
its
settlement
with
Epic
and
the
other
plaintiffs,
the
company
agreed
to
stop
accessing
records
through
major
interoperability
frameworks,
as
well
as
to
delete
any
patient
data
it
gathered
through
those
systems.
Epic
said
it
is
still
fighting
against
Health
Gorilla
and
the
remaining
defendants.
Health
Gorilla
maintains
that
GuardDog’s
consent
judgement
changes
nothing
for
the
company.
“If
you
read
carefully,
GuardDog
does
not
state
it
ever
informed
Health
Gorilla
of
any
non-treatment
use
of
patient
information,
and
we
are
prepared
to
demonstrate
it
did
not.
In
addition,
when
Health
Gorilla
sought
to
investigate
GuardDog
along
with
the
interoperability
networks
and
several
major
health
providers,
GuardDog
failed
to
respond
and
refused
to
cooperate,”
the
company
said
in
a
statement
sent
to
MedCity
News.
GuardDog’s
admission
may
be
the
first
crack
in
the
case,
but
Epic’s
battle
against
Health
Gorilla
is
not
yet
over
—
and
the
outcome
could
shape
how
data
interoperability
is
governed
across
the
healthcare
industry.
Photo:
OsakaWayne
Studios,
Getty
Images