Epic / Health Gorilla HIE Governance Scandal
In January 2026, Epic Systems notified multiple member health systems that Health Gorilla — a TEFCA / QHIN on-ramp — and "certain network participants" had submitted record requests under the pretext of "treatment purposes" that the HIE could not verify as legitimate. Records were allegedly routed to law firms for mass-tort marketing. ~300,000 records pulled across Epic-community health systems via sham NPIs. Epic + affected systems filed Epic Systems Corp. v. Health Gorilla, Inc. (W.D. Wisconsin) in January 2026.
Affected
3,427
Providers
2
Window
January–March 2026
Threat actor
Unattributed
Scope
Epic-community US health systems whose patient records were extracted through the abused HIE pipeline. Trinity Health and UPMC are the publicly-named affected systems.