This story has been updated with statements from Health Gorilla and LLamaLab.
A lawsuit filed Tuesday in the U.S. District Court for the Central District of California alleges that Health Gorilla – a clinical data platform and a qualified health information network under the federal Trusted Exchange Framework and Common Agreement – enabled at least two companies, Mammoth Path Solution and RavillaMed, to improperly access and monetize sensitive patient health data (such as genetic, mental wellbeing and reproductive information) through the Carequality network.
The plaintiffs in the suit include Epic and some of its health system customers, including OCHIN, Reid Health, Trinity Health and UMass Memorial Health. According to the filing, shared with Healthcare IT News, they are taking legal action to defend patient privacy and protect sensitive medical information from being monetized for non-treatment-related purposes, and are requesting a jury trial.
WHY IT MATTERS
The Epic-led complaint seeks immediate relief for fraud, aiding and abetting fraud, violations of the California Business and Professions Code, and the Federal Computer Fraud and Abuse Act breach of contract.
The companies in question, Health Gorilla customers, "operate as organized syndicates to monetize patient records without patients’ knowledge or consent," the plaintiffs allege in the filing.
They "request patient records for the purpose of treating patients but take patient records for other purposes, including to market them to lawyers looking for potential claimants … to join mass tort or class action lawsuits," Epic alleged in announcing the lawsuit.
Data requests and other materials shared with Health Gorilla allegedly show evidence of clinical camouflage by these customers – using clinical-sounding or generic company names – to conceal the purpose of requests, according to Epic.
The EHR vendor said documents returned by Mammoth and RavillaMed for reciprocity are either empty or lack clinical value, and the companies have complex ownership structures linked to small groups – some associated with past grievances investigated by Carequality – vague websites and fake National Provider Identifier numbers.
Rather than stopping the activities when questioned, their owners and operators create new companies. "The scheme thus operates like a Hydra: when one fraudulent entity is exposed, the bad actors birth a new one," according to Epic.
For example, RavillaMed and a company called Llamalab, an artificial intelligence medical records retrieval company, may share organizational leadership, according to documents shared with Healthcare IT News. However, an alleged Health Gorilla response letter indicated that it did not find ownership or management connections between these particular clients.
All Health Gorilla customers named in the legal complaint remain active in the QHIN as of press time, Epic said.
The company and its customers who joined the suit accuse the chief defendant of servicing legal firms and said that self-policing on the QHIN and other HIE networks is not working.
Further, they say that information blocking rules are being used to silence health systems and say they're concerned that patient data living in Epic's EHR is being breached.
In addition to 300,000 patient medical records taken from healthcare organizations nationwide that use its EHR, the named companies may have also taken health records from the U.S. Veterans Affairs and providers using other EHRs, Epic said.
"If not stopped, they will continue to inappropriately market the patient data they have already taken and will take more," said the plaintiffs in the lawsuit.
In a statement emailed to Healthcare IT News on Tuesday afternoon, a Health Gorilla spokesperson said the company "vehemently" denies the allegations in the Epic lawsuit.
"This is yet another example of Epic’s exclusionary actions that limit competition and restrict access to healthcare data," they said. "These actions reflect broader, ongoing concerns raised by others in the industry and by government actors about monopolistic practices in health information exchange by Epic. Health Gorilla supports efforts to promote competition, patient choice, and fair access to healthcare data."
The statement added that the company "exists to ethically serve the clinical community and aligned healthcare innovators by enabling secure, appropriate access to health information – including for organizations and use cases that Epic does not directly serve."
The spokesperson noted that, since the case is in active litigation, "we can’t comment on specific allegations." But it pledged that the company had "acted in good faith" and promised to "vigorously defend the claims against Health Gorilla."
"When Epic raised concerns regarding four entities three months ago, we acted promptly and we have been working constructively with Epic and the relevant network authorities to address those concerns," the statement concluded. "Patients and providers depend on trusted, open interoperability to support care. We intend to be part of the solution through transparency, accountability and continued investment in privacy and safeguards."
LlamaLab also denied allegations in the complaint and said it would contest them.
The company "categorically disputes any suggestion that the company misused patient information or otherwise participated in any improper conduct," Shere Saidon, the company's founder and CEO, said by email on January 30.
"These claims are simply false. We have never sold patient data, and we never will."
THE LARGER TREND
Bob Watson, Health Gorilla's executive chairman, has said in the past that QHINs are intended to add data exchange purposes.
"As TEFCA moves forward, there will be progressive use of additional exchange purposes including individual access services, public health exchange, healthcare operations, payment, public benefits determination and likely research," he told Healthcare IT News last year during a conversation about how the company is advancing interoperability.
At the moment, Epic is involved as a defendant in other lawsuits related to patient data exchange.
Two years ago, Particle Health filed an antitrust lawsuit against Epic, accusing the EHR giant of violating federal law that prohibits unfair business practices.
After a Carequality dispute over certain customer data requests, Epic disconnected Particle's customers on a "massive scale" without warning, the latter alleged in the lawsuit. In September 2025, a judge denied full dismissal of Particle's antitrust case against Epic, and it continues.
And this past month, Texas Attorney General Ken Paxton announced that the state is suing the EHR vendor for deceptive and anticompetitive practices, including restricting parental access to children's medical records and undermining health technology competition in the Lone Star State.
ON THE RECORD
As for the most recent suit, "these actors are putting the enormous positive patient outcomes achieved through interoperability at imminent risk," said Epic and its health system plaintiffs in the new filing. "When used appropriately, interoperability ensures that medical care is informed by a patient’s medical history, allowing healthcare providers to improve patient outcomes."
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.