Epic Sues Health Gorilla Over Alleged Sham Network Accessing Nearly 300k Patient Records

Context Michigan Medicine sent breach notification letters to about 551 patients on May 1, alerting them to unauthorized access to their electronic medical records. The health system said the incident occurred from Oct 18, 2023, through Nov 12, 2025, and exposed names, addresses, clinical data, and insurance information but not Social Security numbers.

Key Facts On Jan 13, 2026, Epic notified Michigan Medicine of unusual third‑party request activity through its health information exchange connection. The same day Epic filed a lawsuit in the U.S. District Court for the Central District of California against Health Gorilla and its network.

The complaint alleges the sham operators created fictitious websites, shell entities, and false NPI numbers to masquerade as treatment providers, and inserted junk data into records to feign legitimate care. Health Gorilla denies the allegations, stating it suspended connections with the implicated parties and began an internal investigation.

What It Means The case highlights how weak identity verification in health information exchanges can be exploited for large‑scale data harvesting, posing risks to patient privacy and clinical safety. It also underscores the growing use of fake provider credentials as a tactic to bypass consent controls and monetize protected health information.

What Defenders Should Do Healthcare organizations can reduce the risk of similar credential‑spoofing attacks by adopting the following controls. - Enforce strict validation of NPI numbers and provider credentials before granting HIE access, using real‑time checks against the NPI Registry. - Implement anomaly‑based monitoring of record‑request patterns, flagging high‑volume or non‑clinical queries for review. - Require multi‑factor authentication and least‑privilege scopes for all third‑party applications connecting to the exchange. - Regularly audit access logs for junk‑data insertions or unusual documentation that could indicate feigned treatment activity. - Share indicators of compromise, such as known sham domains or shell‑company identifiers, via ISACs to improve collective detection.

The outcome of the Epic v. Health Gorilla lawsuit and any ensuing regulatory guidance will shape future HIE trust frameworks; stakeholders should watch for court rulings, potential settlements, and updated identity‑verification standards from ONC or HHS.