Epic Sues Health Information Exchange Network Alleging Improper Record Access

Posted by Steve Alder

Epic Systems, the market-leading electronic medical record system provider, has filed a lawsuit against the health information network Health Gorilla and several of its clients, alleging improper access to the records of 300,000 patients.

The lawsuit, which also names OCHIN Inc, Reid Hospital & Health Care Services Inc. (Reid Health), Trinity Health Corporation, and UMass Memorial Health Care Inc., as plaintiffs, alleges bad actors have fraudulently obtained access to patient data and are abusing access for financial gain. The lawsuit seeks to put an end to the exploitation of health information exchange frameworks for obtaining and monetizing patient data.

The lawsuit alleges that certain Health Gorilla clients are turning nationwide interoperability frameworks into data marts, where sensitive patient data can be bought and sold without patients’ or physicians’ knowledge or consent, including patient data stored in Epic’s interoperability framework.

Two national frameworks – Carequality and TEFCA – are responsible for almost one billion patient-record exchanges each month. Any provider that participates in either framework makes patient data available to other participants. As a condition of participation, they agree to comply with federal laws such as HIPAA and state regulations regarding uses and disclosures of patient data.

The defendant Health Gorilla and similar implementers of the frameworks control who can enter the frameworks, and in so doing, who can gain unfettered access to patient data. As such, the plaintiffs state that there is an important obligation to ensure that prior to joining the framework, the entity requesting access requires that access for the legitimate purpose of providing treatment to patients. The lawsuit alleges that some participants are masquerading as healthcare providers who provide treatment to patients but seek access to monetize patient records.

Once authorized to participate in the framework, access to real-time patient data is obtained, only requiring basic demographic information such as a patient’s name and address to view that individual’s records. The lawsuit alleges that Health Gorilla clients have been abusing access to patient data for financial gain. For instance, to obtain patient data to market to lawyers to help them find patients with specific conditions and diagnoses to join mass tort class action lawsuits.

The plaintiffs claim that bad actors take many actions to conceal the true purpose for access, such as maintaining fictitious websites, creating shell entities, and using sham National Provider Identification numbers in the National Plan and Provider Enumeration System to create an illusion of legitimate patient treatment activity. In some cases, the lawsuit claims they have injected clinically useless documents into the frameworks to give a false impression that they are treating patients, potentially putting patient safety at risk or, at the very least, wasting clinicians’ time.

Epic alleged that RavillaMed, a chronic condition management firm, has shared far fewer records with other providers than it retrieved, and the data the firm shared with Epic showed no evidence of any treatment of patients by a clinician, indicating records were accessed for purposes other than treatment. Epic claims that the added information incorporated previous diagnoses that are frequently involved in litigation, and other returned documents lacked any clinical value and are “clinical camouflage.” Epic alleges that RavillaMed and other Health Gorilla clients named in the lawsuit “operate as organized syndicates to monetize patient records without patients’ knowledge or consent.”

Health Gorilla vehemently denies the allegations and claims that it vets participants to ensure that they are seeking access to patient records for treatment purposes and maintains that Epic is engaging in information blocking. Epic Systems is currently facing an antitrust lawsuit, brought by Particple Health, that alleges it is using its market dominance to illegally block access to health records, and more recently, Texas Attorney General Ken Paxton filed a lawsuit against Epic alleging unfair, deceptive, and anticompetitive business practices, including restricting parental access to children’s medical records, undermining health technology competition in the state.

Epic claims that when companies are discovered to have become participants in the health information exchange under false pretenses, they simply create new companies to continue their activities. For instance, when concerns were raised about Critical Care Nurse Consulting’s access to patient records over its affiliation with law firms, it ceased accessing patient records through Carequality, then a related organization, SelfRx, that had previously been onboarded by Health Gorilla, started taking large volumes of patient records.

According to the lawsuit, when Integritort, a former Particle Health client, was banned from Carequality in October 2024, the former CEO of the company co-founded Mammoth, which started accessing patient records through Health Gorilla, and as was the case with RavillaMed, returned documents with no clinical value.

The lawsuit claims that bad actors rely on technology implementers such as Health Gorilla, conducting little to no vetting of participants to gain access to patient data for financial gain, and that the company is knowingly enabling the abuse of patient data. Health Gorilla and the named clients deny all of Epic’s allegations, and Health Gorilla alleges that Epic is attempting to limit the exchange of health information.

“These actions reflect broader, ongoing concerns raised by others in the industry and by government actors about monopolistic practices in health information exchange by Epic,” explained a spokesperson for Health Gorilla. “Health Gorilla supports efforts to promote competition, patient choice, and fair access to healthcare data.”

Epic claims that if healthcare providers participating in interoperability frameworks cannot trust a request for patient records is made for the purpose of treatment, they may feel compelled to leave the framework, while other healthcare providers that have yet to join may be dissuaded from doing so.

“Bad actors like [the] Defendants have falsely framed Epic and providers’ efforts to safeguard patients’ private medical information as information blocking that is harmful to patients and as unlawful obstruction,” countered Epic. “This intimidation campaign is designed to chill scrutiny and preserve the unscrupulous actors’ access to patient records so they can monetize them, including by selling them to mass tort law firms.”

The lawsuit alleges fraud, aiding and abetting fraud, breach of contract, and violations of the Federal Computer Fraud and Abuse Act and seeks to put an end to the exploitation of interoperability frameworks. In addition to Health Gorilla, the lawsuit names RavillaMedPLLC; Avinash Ravilla; Shere Saidon; LlamaLab, Inc.; Unique Medi TechLLC (Mammoth Dx); MammothPath Solution, LLC; Mammoth Rx, Inc.; Ryan Hilton; Daniel Baker; MaxToovey; Unit 387 LLC; SelfRx, LLC (Myself.Health); Critical CareNurse Consultants, LLC (GuardDog Telehealth); Hoppr, LLC; Meredith Manak, and DOES 1-100 as defendants.

The post Epic Sues Health Information Exchange Network Alleging Improper Record Access appeared first on The HIPAA Journal.

Ransomware Attacks Increased by 58% in 2025

Posted by Steve Alder

The threat from ransomware is greater than ever, according to a new report from GuidePoint Security. The cybersecurity firm recorded a 58% year-over-year increase in victims, making 2025 the most active year ever reported by GuidePoint Security. In 2025, GuidePoint Security tracked 2,287 unique victims in Q4, 2025 alone – the largest number of victims in any quarter tracked by the GuidePoint Research and Intelligence Team (GRIT). December was the most active month in terms of claimed victims, which increased 42% year-over-year to 814 attacks. On average, 145 new victims were added to dark web data leak sites every week in 2025, with the year ending with 7,515 claimed victims.

Law enforcement operations have targeted the most active groups, and there have been notable successes; however, they have had little effect on the number of victims, which continues to increase. Rather than the ransomware-as-a-service (RaaS) landscape being dominated by one or two major actors, law enforcement operations have helped create a highly fragmented ecosystem, with smaller groups conducting attacks in high volume, using repeatable operations. In 2025, GRIT tracked 124 distinct named ransomware groups – a 46% increase from 2024 and the highest number of groups ever recorded in a single year.

While ransomware attacks are conducted globally, as in previous years, ransomware actors are primarily focused on the United States, where 55% of attacks were conducted last year, followed by Canada, which accounted for 4.5% of attacks. The manufacturing sector was the most heavily targeted, accounting for 14% of attacks, followed by the technology sector (9%), and retail/wholesale (7%). Healthcare ranked in fourth spot, with more than 500 victims in 2025.

Qilin, the most prolific RaaS group in 2025, disproportionately targets the healthcare sector. The group, which emerged in June 2024, is based in Eastern Europe and is thought to be a rebrand of the Agenda ransomware group. In 2024, the group added 154 victims to its dark web data leak site, increasing that tally by 578% to 1,044 victims in 2025, most likely by increasing its number of affiliates, many of whom are thought to have previously worked with the RansomHub group that shut down operations in April 2025. The large number of affiliates, each with their own specialties, means the group uses diverse tactics in its attacks. To put the volume of attacks into perspective, in 2025, Qilin conducted more attacks than LockBit did at its peak.

Qilin has claimed more healthcare victims than any other ransomware group, one of the most notable of which was UK pathology lab Synnovis. That single attack has reportedly caused more than $40 million in losses. The group is expected to continue as the most dominant group in 2026, although expanding operations to such an extent will make it a target for law enforcement. INC Ransom was the second biggest threat to healthcare organizations in 2025, followed by SafePay. While SafePay has been observed targeting small to mid-sized organizations, the group claimed responsibility for the ransomware attack on Conduent Business Services, which recently confirmed that 14.7 million individuals in Texas alone had their data compromised in the attack.

A relatively new ransomware group called Sinobi has conducted several attacks on healthcare organizations since it emerged in mid-2025. The group picked up the pace in Q4, adding 149 victims to its data leak site. GRIT notes that such a significant increase in tempo just a few months after forming is indicative of an established rather than an emerging or developing RaaS group, indicating the group may be a rebrand or at least has some highly experienced affiliates. In 2026, Sinobi is expected to pose a significant threat to the healthcare sector. LockBit has also returned since the law enforcement disruption in 2024, adding 106 new victims to its data leak site in December. LockBit similarly has no qualms about attacking the healthcare sector and is likely to be a significant threat in 2026.

There is growing evidence that ransomware groups are incorporating AI into their operations, most commonly for social engineering to overcome language barriers, personalize social engineering, and craft contextually appropriate lures that bypass traditional detection methods. They are also thought to have adopted AI to analyze the vast amounts of data they exfiltrate in their attacks to identify high-value data and determine appropriate ransom demands. While there are fears of AI-powered attacks, that has yet to be observed, with threat actors using AI to augment existing capabilities, rather than create fully autonomous and AI-coded malware, although both could become accessible enough for broader adoption in 2026.

“The year 2026 will likely see continued convergence of criminal innovation and AI capabilities, demanding that defenders adopt equally sophisticated technologies and intelligence-led approaches,” concluded GRIT. “The organizations best positioned to withstand this evolution will be those that prioritize rapid detection and response, implement comprehensive identity and access controls, and integrate AI-powered defenses as essential components of their security architecture rather than experimental additions.”

The post Ransomware Attacks Increased by 58% in 2025 appeared first on The HIPAA Journal.

PharMerica Pays Over $5.2 Million to Settle Class Action Data Breach Lawsuit

Posted by Steve Alder

PharMerica has agreed to settle a class action lawsuit over a 2023 hacking incident and data breach that affected 5.8 million individuals. In addition to paying $5.2 million to cover costs and benefits, PharMerica has committed to investing millions to strengthen its security posture.

PharMerica, a Fortune 1000 pharmacy services provider, experienced a cyberattack in March 2023 for which the Money Message ransomware group took credit. The group claimed to have exfiltrated 4.7 terabytes of data in the attack, and it proceeded to leak the stolen data on its dark web data leak site, including files containing patient information. Data compromised in the attack included names, addresses, birth dates, medications, Social Security numbers, and health insurance information.

Several class action lawsuits were filed against PharMerica in response to the data breach, alleging negligent collection and storage of patient data. The lawsuits had overlapping claims and were consolidated into a single complaint – Lurry v. PharMerica Corporation – in the United States District Court for the Western District of Kentucky, Louisville Division. PharMerica denies all claims of liability and wrongdoing and sought to have the lawsuit dismissed. On January 12, 2024, a federal judge partially granted the motion to dismiss; however, she allowed the lawsuit to proceed.

For the negligence claim, the judge ruled that the plaintiffs sufficiently alleged damages arising from the breach; however, she dismissed the claims of breach of implied contract for certain plaintiffs who had no direct relationship with PharMerica, the claim of breach of fiduciary duty, and certain claims under California and Michigan law.

Under the terms of the settlement, PharMerica has agreed to pay $5,275,000 into a settlement fund, which will be used to pay attorneys’ fees, settlement administration costs, PharMerica’s past and future costs of data mining to identify membership to the settlement class, service awards for the six class representatives, and benefits for the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $10,000 per class member, and are also entitled to claim a one-year membership to a credit monitoring, dark web monitoring, payday loan monitoring, credit score reporting, fraud consultation, and identity theft resolution service. That package also includes a $1 million identity theft insurance policy. In addition, class members may claim a one-time cash payment, which will be paid pro rata and will depend on the number of claims received. In addition to that settlement, PharMerica has agreed to change its business practices and improve security to better protect patient data in its possession.

The settlement received preliminary approval from the court on January 12, 2026. The deadline for objection and opting out is April 12, 2025. Claims must be submitted by April 27, 2026, and the final fairness hearing has been scheduled for May 12, 2026.

The post PharMerica Pays Over $5.2 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.