Epic Systems and four co-plaintiff healthcare organisations have voluntarily dismissed SelfRx from a lawsuit concerning the alleged unauthorised retrieval and commercial sale of patient medical records. The dismissal, filed with prejudice, follows a sworn declaration from SelfRx founder Martin Hensel and removes the defunct Massachusetts startup from proceedings that remain active against several other defendants.

The underlying lawsuit was filed in January in the US District Court for the Central District of California. Epic, joined by OCHIN, Reid Health, Trinity Health and UMass Memorial Health, alleges that Health Gorilla, a clinical data platform operating under the federal Trusted Exchange Framework and Common Agreement, authorised access to more than 300,000 patient records through the Carequality health exchange network. The plaintiffs contend those records were obtained for commercial rather than treatment purposes, constituting fraud.

SelfRx was named in the suit on the basis that its account on the Carequality network had been used to access more than 100,000 patient records between August 2024 and October 2025. In his declaration, Hensel stated that SelfRx had in fact accessed roughly 100 records covering 15 patients, all for treatment purposes, between April 2024 and January 2025. The company shut down its servers in February 2025 and ceased operations entirely the following month, before filing for cancellation with the state of Massachusetts in December.

Hensel was unambiguous on the central question. He stated that SelfRx never granted permission to Health Gorilla, Unit 387 or any other party to request patient records through Carequality on its behalf. As to who did access those 100,000 records under SelfRx's name, he said he does not know.

Epic has confirmed it will continue investigating that question. The company's position is that patients who received notices about their data being shared have raised privacy complaints, and that it has an obligation to trace how those records were obtained and by whom.

The case against the remaining defendants is at varying stages. Health Gorilla has filed a motion to dismiss, arguing the lawsuit is an effort by Epic to protect its dominance in the electronic health records market rather than a genuine patient privacy action. That motion has not yet been ruled upon. GuardDog Telehealth, another named defendant, admitted to providing patient records to law firms and has been permanently barred by federal court order from accessing data through TEFCA and Carequality.

Unit 387, a medical records retrieval company that sits at the centre of the access chain, has made no public statement. The company, whose founder Meredith Manak was acknowledged by Hensel as an acquaintance, is understood to have given organisations including GuardDog and SelfRx the technical means to access patient data through exchange gateways. It is not currently pulling Epic patient data but remains connected to records through the CommonWell Alliance network. Unit 387 has not responded to requests for comment.

The lawsuit, taken as a whole, exposes a structural problem in how federated health data networks handle accountability. Carequality and similar frameworks were designed to facilitate legitimate clinical data exchange across institutions. What this case illustrates is that the chain of access can involve multiple intermediary companies, each capable of passing on or exploiting data, with patient consent becoming harder to trace and enforce at each step. Whether the courts find that Health Gorilla and its customers crossed a legal line remains to be seen, but the question of who is responsible when records move through several hands without clear authorisation is one the case has yet to fully answer.

‍