Epic Systems, OCHIN, Reid Health, Trinity Health, and UMass Memorial Health Care are pressing a ten-count complaint against Health Gorilla and more than a dozen related defendants, alleging the health-data intermediary let improperly vetted entities exploit the national health-information exchange frameworks Congress created to make treatment records flow freely between providers.

The suit, filed January 13, 2026, in the U.S. District Court for the Central District of California as Case No. 2:26-cv-00321, names Health Gorilla alongside a web of individuals, medical entities, and LLCs organized into what the complaint calls overlapping "rings." The defendants include RavillaMed, several Mammoth-branded companies, Unit 387, SelfRx (doing business as Myself.Health), and GuardDog Telehealth, among others.

The complaint centers on how Carequality and TEFCA work. Carequality processes roughly 1.2 billion medical document exchanges per month. TEFCA, created under the 21st Century Cures Act, is the federal framework for nationwide health-data exchange. When a request is coded for treatment, the responding provider must return effectively the full patient record automatically, without reviewing the request or applying discretion. Health Gorilla participated as both a Carequality implementer and a TEFCA Qualified Health Information Network, giving it a gatekeeper role over which entities could send those requests.

The plaintiffs allege that Health Gorilla onboarded entities that had no legitimate treatment relationship with the patients whose records they pulled, ignored red flags when anomalies surfaced, and dismissed provider concerns as technical glitches. The complaint tallies hundreds of thousands of records obtained from Epic and OCHIN customers alone, with individual counts running to 140,000-plus records for the Mammoth defendants and 100,000-plus for SelfRx. Additional unknown volumes allegedly came from VA systems and non-Epic EHR platforms.

Those records, the complaint alleges, were then monetized for non-treatment purposes, including mass-tort plaintiff recruitment, without patient consent or their treating physicians' knowledge. Some defendants allegedly returned "junk data" in response to reciprocal queries to simulate legitimate clinical exchange and avoid detection.

The complaint pleads fraud, aiding and abetting fraud, violations of the California Unfair Competition Law, breach of contract, and a Computer Fraud and Abuse Act claim under 18 U.S.C. Section 1030. The plaintiffs demand a jury trial and seek injunctive relief that would revoke the defendants' access to Carequality and TEFCA, require deletion of all wrongly obtained patient data, and order disgorgement of profits.

The broader stakes are explicit in the pleading. The complaint warns that if providers lose confidence in the frameworks and stop participating, "the cornerstone innovation of healthcare interoperability may soon be reduced to a bygone ideal." Whether the court agrees that the defendants' conduct fits the fraud and CFAA theories will test the legal guardrails around a system designed to make health data move, not to police who is asking for it.