“Anytime I go to a conference, Epic is embroiled in another lawsuit" is the modern day health tech equivalent to "any time a bell rings, an angel gets its wings." JPM is here and we cannot get a break, as Epic has a new court case, this time against Health Gorilla, a Carequality and TEFCA on-ramp.
Epic’s new complaint alleges that a coordinated set of actors (RavillaMed, LlamaLab, Mammoth Dx, Unit 387, SelfRx, GuardDog, and others) are exploiting the nationwide interoperability frameworks (Carequality and TEFCA) by falsely claiming a Treatment purpose of use to obtain clinical data, then engaging in secondary use by selling or monetizing that data for mass-tort intake, plaintiff identification, and related commercial services.
Epic frames the misconduct as a structural threat to interoperability itself: because Treatment queries must be honored automatically and in real time, a bad actor who clears onboarding has “near-unfettered” access to patient records from thousands of providers across the country.
If this is sounding familiar, well, you’re correctly following along. Anchoring the narrative is the same structural weakness highlighted in Epic v. Particle 2: The Problem of Secondary Use: HIPAA’s purpose-of-use taxonomy is clear in isolation, but secondary use emerges when Treatment-authorized data is applied to purposes that are clinically unrelated (research, marketing, population outreach, patient recruitment, or, here, plaintiff generation). Indeed, a main party indicted in that original dispute, Integritort, is in the mix here:
Defendant Daniel Baker is the co-founder and Chief Technology Officer of Defendant Mammoth Rx and is also a founding member and manager of Integritort. Defendants Hilton and Baker are the CEO and Chief Financial Officer of Mammoth Global, Inc., according to a 2018 filing with the California Secretary of State.
Epic’s complaint uses almost identical language: interoperability creates a grey zone where data pulled for legitimate clinical reasons can later be repurposed inside composite, multi-line-of-business organizations. But unlike the ambiguous middle-ground cases discussed in the article, like payviders and clinical trials, Epic argues the defendants sit at the extreme end of the spectrum: entities that provide no treatment at all, and where secondary use is not incidental but primary.
Epic asserts the defendants intentionally mask their true commercial purpose behind a rotating set of shell companies, sham NPIs, and nominal clinical websites, then launder their activities through implementers who allegedly fail to conduct required vetting and, in some instances, provide “affirmative misinformation” to preserve transaction volume. Once inside the frameworks, defendants purportedly request vast numbers of patient records, inject meaningless “clinical” documents to fabricate the appearance of patient treatment, and then route the data to downstream entities that openly market to law firms seeking mass-tort plaintiffs. Epic emphasizes that this conduct is not incidental misuse but an organized, repeatable business model, with individuals migrating between entities (e.g., Integritort to Mammoth) as soon as scrutiny arises.
The complaint positions the issue as an existential risk to the governance model of interoperability networks. Carequality and TEFCA expressly rely on implementers to vet and monitor their connections, because once a participant is listed in the directory, other participants must release records for Treatment queries. Epic argues that the frameworks’ current trust-based architecture is threatened by actors who:
Fabricate treatment
Mass-request records
Monetize those records at scale, especially when implementers allegedly ignore evidence of abuse.
Epic states that if the trust model is breached and broken, providers may feel compelled to withdraw from the frameworks, destroying the core public-good value of frictionless, free interoperability for treating patients.
Offhand, elements that stick out to me:
Epic notably used Akin Gump here to represent them, rather than Cravath. I wonder if thats reflective of who they use for offense vs defense, more a function of expertise in the specific types of claims (fraud/computer fraud), or just workload - Cravath certainly is busy already on Epic’s behalf
The defendants’ responses will be way more interesting than the complaint, which highlights issues and tensions we’ve already discussed. I could imagine a countercomplaint invoking information blocking might be in play here.
The information that will come out in discovery (supposing we get that far) will be the true litmus test. We sit outside Schrodinger’s legal box currently - there’s a world where these companies are operating legally in the grey zone. There’s also another where they’re just doing bad, possibly illegal things. The devil is in the details that we (and also Epic) don’t quite have yet.
The complaint puts TEFCA risk on the table for the first time. Most prior disputes have centered on Carequality, because TEFCA has been new and lightly populated. Here, Epic explicitly names TEFCA exposure
If you believe the allegations to be true, then the problems it surfaces are not resolvable with just legal solutions. They will require significant technical updates to the structure of the networks to address root causes.
Some of the evidence in the complaint, while not fully legally damning, is certainly not a good look for the defendants. In particular, the melodrama of a married couple allegedly facilitating this alleged behavior contradicting sworn statements is optically not ideal, to say the least:
Indeed, as recently as January 8, 2026, Health Gorilla tendered a purportedly sworn statement signed by Defendant Ravilla, in which he denied any business arrangement with LlamaLab.
The owner of RavillaMed, Defendant Avinash (Avi) Ravilla, D.O., is, in fact, married to the director of patient records and automation for Defendant LlamaLab.
Anyway, hello from JPM. First article I've written and sent from mobile, so please forgive any typos. More to come here for sure.
