A major lawsuit filed by Epic Systems in January 2026 has exposed critical vulnerabilities in the digital health data ecosystem, sending shockwaves through the industry. The largest electronic health record (EHR) vendor in the U.S., alongside health systems like Reid Health, Trinity Health, UMass Memorial Health, and OCHIN, has sued in the U.S. District Court for the Central District of California, alleging widespread improper access and monetisation of sensitive patient records.

‍

The core of the complaint is the claim that nearly 300,000 patient medical records were accessed and used for commercial gain without patient consent. The lawsuit specifically targets the misuse of national health data exchange networks, which are designed to facilitate better care co-ordination.

‍

Epic alleges that entities such as RavillaMed and LlamaLab obtained these patient records through a health information exchange gateway, Health Gorilla, by falsely representing themselves as legitimate healthcare providers. The suit claims these actors then monetised the data for non-clinical purposes, including reportedly providing lists of potential clients to legal firms.

‍

The complaint details how the defendants allegedly exploited interoperability frameworks, such as Carequality and the Trusted Exchange Framework and Common Agreement (TEFCA), to gain access, sometimes inserting fabricated clinical information into records. Although the defendants deny wrongdoing and the definitive sale of records is not yet proven, Epic argues that the sheer volume and speed of data access strongly indicate profit-driven activities over genuine patient care.

‍

This incident underscores a global problem: the commercial vulnerability of health data, which is highly valuable. Cybersecurity research highlights that individual medical records can command significant prices on black markets due to the rich personal information they contain. Furthermore, many health and lifestyle apps, often not covered by strict privacy laws like the U.S.'s HIPAA, may share user data with third parties without explicit opt-out.

‍

While U.S.-based, the lawsuit holds crucial global lessons. It highlights the tension between facilitating data accessibility for legitimate healthcare and research and preventing commercial exploitation that is often opaque to patients. Regulatory frameworks worldwide, including in the UK with ongoing debates about NHS data sharing, face the challenge of ensuring interoperable health systems are not exploited for non-clinical profit.

‍

This case serves as a wake-up call for policymakers and health systems globally. Maintaining patient trust requires robust measures: strict verification of organisations accessing health records, detailed audit trails, explicit informed consent mechanisms, and clear penalties for misuse. Patient advocates are calling for greater transparency, stronger enforcement of privacy protections, and user controls that empower individuals to manage their data.

‍

Ultimately, the lawsuit reinforces the notion that health data, one of the most personal categories of information, must be treated as a confidential record of care rather than a commercial commodity. As the case proceeds, it is expected to significantly influence future global policy on health data governance, balancing digital innovation with individual privacy protection.