The recently filed complaint in a California district court by Epic Systems and several large health systems against Health Gorilla and other entities places healthcare interoperability at the center of a broader debate about patient data use, regulation, and litigation risk.
While the allegations will be fleshed out in court (motions to dismiss are pending), the case raises important questions about the boundaries between regulatory compliance, contractual enforcement, and fraud-based liability.
At its core, the lawsuit alleges that certain entities improperly accessed patient records through national interoperability frameworks, Carequality and TEFCA, by asserting a “treatment” purpose when their alleged downstream use involved mass tort claimant identification. Plaintiffs frame this conduct as a coordinated scheme that threatens patient privacy and the integrity of nationwide data exchange.
The case warrants scrutiny beyond the headline allegations. Interoperability frameworks are complex, highly technical systems designed to facilitate rapid information sharing in healthcare. They rely on layered contractual obligations among implementers, participants, and downstream users. That arrangement inevitably results in ambiguous situations, especially when the same data can be used for several legitimate purposes throughout its lifecycle.
One key issue to watch is whether the complaint attempts to transform alleged misuse of interoperability rules into broad fraud claims untethered from traditional elements such as intent, reliance, and concrete harm. Not every regulatory violation, or disputed characterization of “treatment purpose,” should automatically give rise to fraud liability. If courts conflate compliance disagreements with deceptive intent, the result could be an expansion of litigation exposure well beyond the alleged bad actors.
This risk is especially relevant in the mass tort context. Modern mass tort litigation increasingly depends on data analytics, epidemiology, and medical record review to identify potential claimants and assess exposure and causation. While patient privacy must be protected, defense counsel should be wary of legal theories that implicitly stigmatize any intersection between medical data and litigation screening. If data access connected to litigation becomes presumptively suspect, a resulting effect could be to chill legitimate defense-side investigations, expert analysis, and case vetting.
Equally important is the role of intermediaries. The complaint devotes significant attention to alleged failures by implementers to vet participants and police downstream conduct. That theory, if accepted wholesale, risks imposing quasi-regulatory duties on private technology companies that were never intended to serve as enforcement arms of the law. For mass tort defendants, the concern is precedent: expanding secondary liability based on alleged “red flags” could encourage plaintiffs to name increasingly peripheral actors in future litigation, driving up costs and complexity without clear gains in accountability.
There is also a systemic consideration. Interoperability frameworks exist to improve patient care, reduce duplication, and enable timely medical decision-making. Overly aggressive litigation theories may prompt providers and technology vendors to restrict participation, slow data exchange, or adopt defensive practices that undermine these goals. In the long run, that outcome could make it harder for both sides in mass tort cases to get the medical records they need since reliable medical histories are essential for evaluating claims and defenses alike.
None of this is to minimize the importance of patient privacy or to excuse misconduct if proven. Rather, Epic v. Health Gorilla highlights the need for balance. Courts will be asked to draw careful distinctions between fraud and noncompliance, between intentional schemes and system-level weaknesses, and between legitimate litigation activity and improper data monetization.
Mass tort defense lawyers should keep an eye on this case; it could reshape the legal landscape for how medical data is gathered, scrutinized, and disputed in court. The outcome may determine whether debates over data use stay grounded in regulatory and contractual rules or explode into sweeping tort claims with far-reaching consequences.
[View source.]
