Epic Systems, the market-leading electronic medical record system provider, has filed a lawsuit against the health information network Health Gorilla and several of its clients, alleging improper access to the records of 300,000 patients.

The lawsuit, which also names OCHIN Inc, Reid Hospital & Health Care Services Inc. (Reid Health), Trinity Health Corporation, and UMass Memorial Health Care Inc., as plaintiffs, alleges bad actors have fraudulently obtained access to patient data and are abusing access for financial gain. The lawsuit seeks to put an end to the exploitation of health information exchange frameworks for obtaining and monetizing patient data.

The lawsuit alleges that certain Health Gorilla clients are turning nationwide interoperability frameworks into data marts, where sensitive patient data can be bought and sold without patients’ or physicians’ knowledge or consent, including patient data stored in Epic’s interoperability framework.

Two national frameworks – Carequality and TEFCA – are responsible for almost one billion patient-record exchanges each month. Any provider that participates in either framework makes patient data available to other participants. As a condition of participation, they agree to comply with federal laws such as HIPAA and state regulations regarding uses and disclosures of patient data.

The defendant Health Gorilla and similar implementers of the frameworks control who can enter the frameworks, and in so doing, who can gain unfettered access to patient data. As such, the plaintiffs state that there is an important obligation to ensure that prior to joining the framework, the entity requesting access requires that access for the legitimate purpose of providing treatment to patients. The lawsuit alleges that some participants are masquerading as healthcare providers who provide treatment to patients but seek access to monetize patient records.

Once authorized to participate in the framework, access to real-time patient data is obtained, only requiring basic demographic information such as a patient’s name and address to view that individual’s records. The lawsuit alleges that Health Gorilla clients have been abusing access to patient data for financial gain. For instance, to obtain patient data to market to lawyers to help them find patients with specific conditions and diagnoses to join mass tort class action lawsuits.

The plaintiffs claim that bad actors take many actions to conceal the true purpose for access, such as maintaining fictitious websites, creating shell entities, and using sham National Provider Identification numbers in the National Plan and Provider Enumeration System to create an illusion of legitimate patient treatment activity. In some cases, the lawsuit claims they have injected clinically useless documents into the frameworks to give a false impression that they are treating patients, potentially putting patient safety at risk or, at the very least, wasting clinicians’ time.

Epic alleged that RavillaMed, a chronic condition management firm, has shared far fewer records with other providers than it retrieved, and the data the firm shared with Epic showed no evidence of any treatment of patients by a clinician, indicating records were accessed for purposes other than treatment. Epic claims that the added information incorporated previous diagnoses that are frequently involved in litigation, and other returned documents lacked any clinical value and are “clinical camouflage.” Epic alleges that RavillaMed and other Health Gorilla clients named in the lawsuit “operate as organized syndicates to monetize patient records without patients’ knowledge or consent.”

Health Gorilla vehemently denies the allegations and claims that it vets participants to ensure that they are seeking access to patient records for treatment purposes and maintains that Epic is engaging in information blocking. Epic Systems is currently facing an antitrust lawsuit, brought by Particple Health, that alleges it is using its market dominance to illegally block access to health records, and more recently, Texas Attorney General Ken Paxton filed a lawsuit against Epic alleging unfair, deceptive, and anticompetitive business practices, including restricting parental access to children’s medical records, undermining health technology competition in the state.

Epic claims that when companies are discovered to have become participants in the health information exchange under false pretenses, they simply create new companies to continue their activities. For instance, when concerns were raised about Critical Care Nurse Consulting’s access to patient records over its affiliation with law firms, it ceased accessing patient records through Carequality, then a related organization, SelfRx, that had previously been onboarded by Health Gorilla, started taking large volumes of patient records.

According to the lawsuit, when Integritort, a former Particle Health client, was banned from Carequality in October 2024, the former CEO of the company co-founded Mammoth, which started accessing patient records through Health Gorilla, and as was the case with RavillaMed, returned documents with no clinical value.

The lawsuit claims that bad actors rely on technology implementers such as Health Gorilla, conducting little to no vetting of participants to gain access to patient data for financial gain, and that the company is knowingly enabling the abuse of patient data. Health Gorilla and the named clients deny all of Epic’s allegations, and Health Gorilla alleges that Epic is attempting to limit the exchange of health information.

“These actions reflect broader, ongoing concerns raised by others in the industry and by government actors about monopolistic practices in health information exchange by Epic,” explained a spokesperson for Health Gorilla. “Health Gorilla supports efforts to promote competition, patient choice, and fair access to healthcare data.”

Epic claims that if healthcare providers participating in interoperability frameworks cannot trust a request for patient records is made for the purpose of treatment, they may feel compelled to leave the framework, while other healthcare providers that have yet to join may be dissuaded from doing so.

“Bad actors like [the] Defendants have falsely framed Epic and providers’ efforts to safeguard patients’ private medical information as information blocking that is harmful to patients and as unlawful obstruction,” countered Epic. “This intimidation campaign is designed to chill scrutiny and preserve the unscrupulous actors’ access to patient records so they can monetize them, including by selling them to mass tort law firms.”

The lawsuit alleges fraud, aiding and abetting fraud, breach of contract, and violations of the Federal Computer Fraud and Abuse Act and seeks to put an end to the exploitation of interoperability frameworks. In addition to Health Gorilla, the lawsuit names RavillaMedPLLC; Avinash Ravilla; Shere Saidon; LlamaLab, Inc.; Unique Medi TechLLC (Mammoth Dx); MammothPath Solution, LLC; Mammoth Rx, Inc.; Ryan Hilton; Daniel Baker; MaxToovey; Unit 387 LLC; SelfRx, LLC (Myself.Health); Critical CareNurse Consultants, LLC (GuardDog Telehealth); Hoppr, LLC; Meredith Manak, and DOES 1-100 as defendants.

The post Epic Sues Health Information Exchange Network Alleging Improper Record Access appeared first on The HIPAA Journal.

PharMerica has agreed to settle a class action lawsuit over a 2023 hacking incident and data breach that affected 5.8 million individuals. In addition to paying $5.2 million to cover costs and benefits, PharMerica has committed to investing millions to strengthen its security posture.

PharMerica, a Fortune 1000 pharmacy services provider, experienced a cyberattack in March 2023 for which the Money Message ransomware group took credit. The group claimed to have exfiltrated 4.7 terabytes of data in the attack, and it proceeded to leak the stolen data on its dark web data leak site, including files containing patient information. Data compromised in the attack included names, addresses, birth dates, medications, Social Security numbers, and health insurance information.

Several class action lawsuits were filed against PharMerica in response to the data breach, alleging negligent collection and storage of patient data. The lawsuits had overlapping claims and were consolidated into a single complaint – Lurry v. PharMerica Corporation – in the United States District Court for the Western District of Kentucky, Louisville Division. PharMerica denies all claims of liability and wrongdoing and sought to have the lawsuit dismissed. On January 12, 2024, a federal judge partially granted the motion to dismiss; however, she allowed the lawsuit to proceed.

For the negligence claim, the judge ruled that the plaintiffs sufficiently alleged damages arising from the breach; however, she dismissed the claims of breach of implied contract for certain plaintiffs who had no direct relationship with PharMerica, the claim of breach of fiduciary duty, and certain claims under California and Michigan law.

Under the terms of the settlement, PharMerica has agreed to pay $5,275,000 into a settlement fund, which will be used to pay attorneys’ fees, settlement administration costs, PharMerica’s past and future costs of data mining to identify membership to the settlement class, service awards for the six class representatives, and benefits for the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $10,000 per class member, and are also entitled to claim a one-year membership to a credit monitoring, dark web monitoring, payday loan monitoring, credit score reporting, fraud consultation, and identity theft resolution service. That package also includes a $1 million identity theft insurance policy. In addition, class members may claim a one-time cash payment, which will be paid pro rata and will depend on the number of claims received. In addition to that settlement, PharMerica has agreed to change its business practices and improve security to better protect patient data in its possession.

The settlement received preliminary approval from the court on January 12, 2026. The deadline for objection and opting out is April 12, 2025. Claims must be submitted by April 27, 2026, and the final fairness hearing has been scheduled for May 12, 2026.

The post PharMerica Pays Over $5.2 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

A settlement has been approved to resolve class action data breach litigation against Consulting Radiologists Ltd., a physician-owned radiology practice that provides medical imaging services at more than 100 healthcare facilities in Minnesota and the surrounding areas.

The Consulting Radiologists data breach was reported to the HHS’ Office for Civil Rights on June 14, 2024, as involving the protected health information of up to 583,824 individuals. A network intrusion was identified on February 12, 2024, and the investigation confirmed that the network was accessed by an unauthorized third party who may have obtained patient data such as names, addresses, dates of birth, medical information, health insurance information, along with the Social Security numbers of 19,346 individuals.

The data breach was announced in April 2024, and notification letters were sent to the affected individuals. Shortly thereafter, a class action lawsuit was filed in response to the data breach, followed by a further 18 complaints. In August 2024, District Court Judge Thomas Conley issued an order to consolidate all complaints against Consulting Radiologists. The consolidated lawsuit – In re Consulting Radiologists Data Incident Litigation – was filed in the District Court of the 4th Judicial District Court of Hennepin County, Minnesota, on November 1, 2024.

The lawsuit claimed the data breach was the result of negligence and could have been prevented had reasonable and appropriate cybersecurity measures been implemented and maintained. The lawsuit alleged that Consulting Radiologists had violated the HIPAA Rules, including the HIPAA Security Rule, by failing to properly secure patient data and the HIPAA Breach Notification Rule due to the delay in issuing notifications to the affected individuals.

The lawsuit asserted claims of negligence, negligence per se, breach of contract, breach of implied contract, breach of third-party contract, breach of implied covenant of good faith and fair dealing, breach of fiduciary duty, breach of confidence, invasion of privacy/intrusion upon seclusion, unjust enrichment, and violations of the Minnesota Consumer Fraud Act and Minnesota Health Records Act.

Consulting Radiologists sought to have the lawsuit dismissed, and that attempt was partially successful; however, the court failed to dismiss the claims of negligence, negligence per se, unjust enrichment, injunctive/declaratory relief, and violations of the Minnesota Consumer Fraud Act and Minnesota Health Records Act. Following mediation and ongoing negotiations, a settlement was agreed to bring the litigation to an end, with no admission of liability or wrongdoing. Consulting Radiologists has agreed to pay $2,200,000 in aggregate to cover attorneys’ fees and expenses, settlement administration and notification costs, service awards for the 19 class representatives, and benefits to the class members.

Class members may claim up to three benefits under the settlement: A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Two years of single-bureau credit monitoring services may be claimed, and class members may also claim a cash payment. The cash payments depend on the types of data compromised in the incident, and are expected to be $125 for individuals whose Social Security numbers were involved, and $50 for all other class members. The cash payments are subject to a pro rata reduction to remain under the cap of $2,200,000.

The deadline for objection to and exclusion from the settlement is January 30, 2026. The deadline for submitting a claim is March 2, 2026, and the final fairness hearing has been scheduled for February 25, 2026. Further information can be found on the settlement website: https://www.crdatasettlement.com/

The post Consulting Radiologists Pays $2.2M to Settle Class Action Data Breach Litigation appeared first on The HIPAA Journal.

Falcon Healthcare, doing business as Interim Healthcare of Lubbock, Texas, a home care and home health care service provider, has agreed to settle class action litigation stemming from a hacking incident that was first identified in June 2022. An unauthorized third party had access to its computer network between April 29, 2022, and July 3, 2022, and downloaded the protected health information of 89,443 patients.

Data compromised in the incident included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, diagnoses, lab results, medications, and treatment information. The affected individuals were offered complimentary credit monitoring and identity theft protection services; however, it took until April 25, 2025, before the affected individuals were notified about the data breach.

On May 1, 2024, a class action lawsuit – Dawn Rice v. Falcon Healthcare, Inc. d/b/a Interim Healthcare of Lubbock, Texas – was filed in the District Court of Lubbock County, Texas, seeking damages on behalf of a national class of individuals affected by the incident. The lawsuit claimed that the data breach could have and should have been prevented. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, breach of fiduciary duty, and unjust enrichment.

The defendant denied all claims and contentions in the lawsuit, including all claims of liability and wrongdoing. Following mediation, all parties reached an agreement on the material terms of a settlement. A settlement was determined to be the best outcome for all parties to avoid further legal costs and expenses and the uncertainty of a trial and related appeals.

The terms of the settlement have now been finalized and approved by a federal judge. Falcon Healthcare has agreed to establish a $800,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, a service award for the class representative, and two years of medical data monitoring for the class members.

Class members are entitled to claim one of two further benefits. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, class members may claim a cash payment, which is estimated to be $100 per class member. These benefits will be subject to a pro rata adjustment based on the number of claims received. Further information can be found on the settlement website: https://falcondatasettlement.com/

The deadline for exclusion from the settlement and objection is January 20, 2026. All claims must be submitted by January 26, 2026, and the final fairness hearing has been scheduled for February 10, 2026.

The post Settlement Resolves Data Breach Litigation Against Falcon Healthcare-Interim Healthcare of Lubbock Texas appeared first on The HIPAA Journal.

A California Superior Court judge has given preliminary approval to a settlement to resolve litigation against Community Psychiatry Management, LLC, operating as Mindpath Health, to resolve a class action lawsuit stemming from two email data breaches in 2022 that affected 193,947 individuals.

Mindpath Health is a California-based mental health service provider serving patients in seven U.S. states. In March 2022 and again in June 2022, unauthorized individuals gained access to Microsoft Office 365 business accounts that contained the protected health information of Mindpath Health patients and other individuals. The breach was discovered in June during a routine audit of its email environment, which identified suspicious account activity.

The investigation confirmed that two email accounts had been subject to unauthorized access in March and June 2022, exposing names, addresses, Social Security numbers, dates of birth, medical diagnoses, prescriptions, treatment information, and health insurance information. Notification letters were sent to the affected individuals on January 10, 2023, almost seven months after the breach was identified

A class action lawsuit was filed in the Eastern District of California by plaintiff Corina Lowrey on January 30, 2023, followed by two further complaints from other Mindpath Health patients. The lawsuits were consolidated into a single complaint – Lowrey, et. al., v. Community Psychiatry Management, LLC – in the Superior Court of California, County of Los Angeles.

The plaintiffs claimed that the breach was a direct consequence of cybersecurity failures by the defendant, with the lawsuit asserting claims of negligence, breach of fiduciary duty, breach of implied contract, breach of confidence, unjust enrichment/quasi-contract, and violations of the California Constitutional Right to Privacy, California Confidentiality of Medical Information Act, California Unfair Competition Law, California Consumer Records Act, California Consumer Privacy Act, and California Consumer Legal Remedies Act.

The defendant maintains that there was no wrongdoing and disagrees with all claims and contentions in the lawsuit; however, following two full-day mediation sessions, all parties reached an agreement to settle the litigation to avoid further legal expenses from what would likely be protracted litigation and the uncertainty of trial and related appeals.

Under the terms of the settlement, the defendant will establish a $3.5 million settlement fund from which attorneys’ fees ($1,166,666.67) and expenses (up to $35,000), settlement administration costs (up to $202,900), and service awards ($5,000 for each of the three plaintiffs) will be deducted. The remainder of the settlement will be used to pay for benefits for the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed ordinary losses due to the data breach up to a maximum of $1,500 per class member, and up to $10,000 as reimbursement for documented, unreimbursed extraordinary losses, including losses due to identity theft and fraud. All class members who submit a valid claim are entitled to three years of credit monitoring services.

As an alternative to the credit monitoring services, class members can choose to receive a pro rata cash payment, expected to be approximately $50. The cash payments may be adjusted upwards or downwards depending on the number of valid claims received. Individuals who were California residents at the time of either of the two email security incidents may claim an additional pro rata cash payment of $50. These payments may also be adjusted based on the number of valid claims received.

The final approval hearing has been scheduled for February 19, 2026. Individuals wishing to object to the settlement, exclude themselves, or submit a claim for benefits must do so by January 5, 2026.

The post $3.5 Million Mindpath Health Data Breach Settlement Gets First Nod appeared first on The HIPAA Journal.

Main Line Fertility Center in Pennsylvania will pay cash payments to individuals whose sensitive data may have been disclosed to third parties via website tracking technologies. Like many healthcare providers, Main Line Fertility Center deployed third-party tracking tools and analytics code on its public website, including Meta Pixel. While these tools can provide valuable data to website owners, their use is problematic in healthcare due to the potential for sensitive data to be transferred to the providers of those tools. Depending on how and where these tools are deployed, they can potentially transfer personally identifiable and health information to those third parties.

In the case of Main Line Fertility Center, it was alleged to have used these tools without patients’ knowledge or consent, resulting in individually identifiable information being transferred to third parties, such as Meta. Anonymous plaintiff Jane Doe filed a lawsuit – Jane Doe v. Main Line Fertility, Ltd. – in the Court of Common Pleas of Philadelphia County, Pennsylvania, alleging the use of these tools without the knowledge or consent of patients amounted to negligence and violated the Pennsylvania Unfair Trade Practices Act. The lawsuit also asserted claims of invasion of privacy, breach of implied contract, and unjust enrichment.

Main Line Fertility Center maintains that there was no wrongdoing and filed its preliminary objections to the complaint on September 19, 2024; however, the court overruled the objections and ordered Main Line Fertility Center to file its answer to the plaintiff’s complaint, which was filed on February 6, 2024. Following substantive discovery efforts and extensive settlement discussions, Main Line Fertility Center agreed to participate in private mediation, and the material terms of a settlement were agreed upon. The full terms of the settlement have now been finalized, and the settlement has received preliminary approval from the court.

Similar to several other pixel-related settlements in recent months, class members will be provided with a cash payment and membership to a Privacy Shield Pro product. Class members wishing to submit a claim can elect to receive a one-time cash payment of $35, and if they submit a valid and timely claim, they will receive a code to enroll in the PRivacy Shield Pro product. Main Line Fertility Center has also agreed to pay attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives.

The deadline for opting out of and objecting to the settlement is December 1, 2025, and claims must be submitted by December 29, 2025. The final fairness hearing has been scheduled for January 6, 2026.

The post Main Line Fertility Center Settles Tracking Technology Lawsuit appeared first on The HIPAA Journal.

Rancho Family Medical Group, a primary care medical group serving patients in Southern California, has agreed to pay $315,000 to settle class action litigation stemming from a 2023 data breach that exposed patients’ protected health information.

Rancho FMG was notified on January 11, 2024, about a security incident at its vendor KMJ Health Solutions. KMJ provided the medical group with online signout and charge capture systems and experienced a security incident on November 19, 2023, that exposed patient information such as names, dates of birth, medical record numbers, treatment locations, dates of services, and medical procedure codes.

The vendor was unable to determine exactly which patients had been affected or the exact types of data involved, as the impacted data had been wiped and was unrecoverable. On or around March 12, 2024, Rancho FMG notified all potentially affected patients, including current patients and patients going back ten years. Approximately 11,500 notification letters were mailed, although the HHS’ Office for Civil Rights was informed that 10,480 individuals had been affected.

Shortly after notifications were mailed, a class action lawsuit was filed in the Superior Court of California, County of Riverside, by one of the affected patients, Catrina Brannon, individually and on behalf of similarly situated individuals. The lawsuit asserted claims of violations of the California Confidentiality of Medical Information Act (CMIA) and California’s Unfair Competition Law (UCL).

Rancho FMG denies any wrongdoing and disagrees with all claims and contentions in the lawsuit. Prior to engaging in extensive motion practice, the parties agreed to mediate to avoid unnecessary legal costs, and a settlement was negotiated that was acceptable to all parties. Under the terms of the settlement, Rancho FMG will establish a $315,000 settlement fund to cover notice and administration expenses, fee awards and expenses, service awards, and benefits to the class members. All class members will receive a code to activate three years of three-bureau credit monitoring services.

In addition, class members may submit a claim for reimbursement of up to four hours of lost time remedying issues arising from the data breach at a rate of $17 per hour. Claims may also be submitted for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach, and any funds remaining in the settlement will be paid as a pro rata cash payments, which will not exceed $1,000 per class member. The cash payments will depend on the number of valid claims received.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for January 28, 2026. The deadline for objection to and exclusion from the settlement is December 29, 2025, and claims must be submitted by December 29, 2025.

The post Rancho Family Medical Group Agrees to Pay $315K to Settle Data Breach Litigation appeared first on The HIPAA Journal.