A bombshell lawsuit filed by Epic Systems on January 13, 2026 accuses a network of data brokers and shell companies of fraudulently obtaining nearly 300,000 patient records and turning private medical information into a commodity for outsiders. This is not a scare story — it is a legal complaint from one of the largest health IT companies in America, and it should alarm every patient who trusts their doctor with sensitive information.
Epic’s filing names Health Gorilla as the alleged gatekeeper that enabled companies like RavillaMed, LlamaLab, Unit 387 and others to pose as treatment providers and siphon records off the national exchange. The suit paints a picture of outfits advertising “same-day” medical record retrieval and selling leads to law firms and marketers, a grotesque monetization of private health details.
The problem is structural: the Carequality interoperability network and other exchange frameworks were built to make care safer and more efficient, but they’ve outsourced vetting to intermediaries who evidently have financial incentives to look the other way. When the people checking credentials are the ones getting paid by those requesting records, you have a recipe for abuse and a betrayal of patient trust.
Worse, most Americans would never know their records were grabbed and repackaged; the lawsuit alleges the documents ended up being marketed to lawyers and possibly others who have no clinical need for them. This is privacy theater turned into a profit stream, and it demonstrates why technological convenience cannot trump basic rights.
Health Gorilla and several defendants have denied the allegations and pushed back by accusing Epic of trying to throttle competition — a charge that dovetails with longstanding antitrust scrutiny of Epic’s market power. Still, denials do not erase the fact that the system’s incentives are upside-down: companies can profit when they let records flow, and patients pick up the tab in lost privacy.
This is a moment for conservatives who believe in personal liberty and limited government to stand up for real privacy protections rather than platitudes about “innovation.” The marketplace failed patients here; the firms involved enriched themselves while hiding behind technicalities. If we love freedom, we must defend the private sphere where families make their most intimate choices without fear of corporate exploitation.
Washington and the states must stop pretending that interoperability frameworks can police themselves forever. TEFCA and related federal initiatives were rolled out to modernize data sharing, but if bad actors can exploit the system, Congress and state attorneys general need to tighten rules, demand auditable logs, and impose real penalties for profiteering off patient data.
Americans deserve accountability and a return of control over their medical records — not more bureaucratic finger-pointing or hollow statements from industry players. Epic’s lawsuit is imperfect and messy, but it’s the kind of fight that can force reform, and conservatives should support robust, clear protections that put patients back in charge and hold data predators to account.
