CLIENT ALERT: HEALTH INFORMATION EXCHANGE VULNERABILITIES

What Happened?

On January 13, 2026 Epic Systems, the owner and provider of the largest electronic health record platform in the USA filed a lawsuit in California alleging that numerous bad actors had likely accessed national health information exchange frameworks (“HIE”) and engaged in activities to fraudulently steal and access protected health information (“PHI”) in violation of state and federal laws. Epic is joined in this lawsuit by OCHIN, Reid Hospital and Health Care Services, Trinity Health Corporation, and UMass Memorial Health Care.

The complaint asserts that multiple bad actors knowingly and intentionally misrepresented, concealed, and otherwise obfuscated the true nature of their business activities to obtain access to protected health information PHI to which they held no lawful right of access. These companies, through complex corporate structures and shared parent organizations accessed, used, and viewed protected health information without a valid treatment, payment or operations need, and in turn sold this PHI to third parties for profit. The lawsuit’s allegations also assert that many of the buyers of PHI are personal injury lawyers and class action aggregators searching for potential claims.

This vulnerability is not limited to individuals or entities that use the Epic platform for medical records. An HIE is agnostic to the electronic health record platform to facilitate legitimate sharing of patient records and information regardless of where an individual receives medical treatment.

Why Should I Be Concerned?

As a Covered Entity, you have responsibility to safeguard and limit disclosure of PHI only for legitimate business purposes and in compliance with minimum necessary standards. Clearly, this lawsuit filed by Epic suggests that Covered Entities now face a new threat in carrying out this responsibility – “wolf in sheep’s clothing” individuals posing as treating health care providers who access PHI for profit. Further complicating matters, the Information Blocking regulations as codified under the 21st Century Cures Act prohibits blocking access to electronic health records unless an exception exists.

In light of the allegations raised by Epic Systems and the other plaintiffs, the mandates under HIPAA to protect PHI and the mandates under the 21st Century Cures Act to share put Covered Entities in a difficult position. How can a Covered Entity comply with both of these bodies of regulations without violating state or federal law?

While HIPAA does not have a private right of action – meaning that an individual cannot directly sue the Covered Entity for damages, the Office for Civil Rights of Health and Human Services does have the ability to impose fines and corrective action monitoring plans for Covered Entities that violate the HIPAA mandates. Similarly, the Office of the National Coordinator is empowered to enforce the Information Blocking regulations with fines and penalties. Finally, many states have enacted state-based regulations that endow individuals with the private right of action to directly sue Covered Entities for breaches of PHI.

What Should I Do?

While it is too early to determine the potential scope of liability, the idea of bad actors gaining access to PHI, absent a breach is no longer a mere theoretical threat. This lawsuit should put all Covered Entities on notice that action is necessary. At this moment, and based upon the current information available, HMBR recommends that Covered Entities that participate in one or more HIEs, regional health exchanges, and any other health exchange under TEFCA (Trusted Exchange Framework and Common Agreement), should consider the following proactive steps:

1. Review and catalogue all exchanges that the Covered Entity is participating in.
2. Conduct an audit of your entity’s PHI flow through the exchange to identify suspicious activities.
3. Determine if any exchange participants are exhibiting behaviors that warrant additional evaluation or immediate expulsion.
4. Document the findings of the audit and the decision-making process.
5. Follow the Information Blocking exceptions to provide notice to concerning exchange participants if access to exchange data is going to be limited or   revoked.

Because each organization’s potential risk exposure will differ based upon health information exchange participation and the state laws impacting your organization, conducting the audits and the remediation activities (if any) under attorney-client privilege is advisable.

Our team at HMBR will continue to monitor this lawsuit for any additional developments, and please feel free to contact us if you have any questions or we can be of assistance.