Abuse on the Interoperability Networks: A Summary of Unauthorized Access to Patient Data 

January 2026 complaint: Epic alleges Health Gorilla enabled Mammoth, RavillaMed, Unit 387, GuardDog Telehealth, SelfRx, and others to improperly access and monetize nearly 300,000 patient medical records from members of the Epic community. 

• “Interoperability has profoundly enhanced the quality of patient care, and national interoperability frameworks now facilitate the real-time exchange of patient records across networks, with tens of millions of patient records being seamlessly exchanged each day.” 

• “At stake are both the protection of medical records that contain some of a person’s most sensitive data…and the ability of physicians to keep their promises to patients that their information will be kept private.” 

• The Complaint alleges that the defendants:  
  • “Operate as organized syndicates to monetize patient records without patients’ knowledge or consent.” 
  • “Request patient records for the purpose of treating patients but take patient records for other purposes including to market them to lawyers looking for potential claimants…to join mass tort or class action lawsuits.” 
  • “Obscure their true purpose through fictitious websites, shell entities, and sham National Provider Identification (NPI) numbers…to create an illusion of legitimate patient treatment…” 
  • Cover their tracks by inserting junk data into patient medical records “to give the false impression that they are treating patients…” 

• Epic alleges the scheme operates like a Hydra: “when one fraudulent entity is exposed, the bad actors birth a new one…If not stopped, they will continue to inappropriately market the patient data they have already taken and will take more.” 

Unit 387 and its relationship with its co-defendants 

• As alleged in the Complaint: 
  • Through Health Gorilla, Unit 387 grants organizations access to patient data by onboarding them onto the Carequality network.  
  • Both Critical Care Nurse Consulting (later known as Critical Care Nurse Consultants, as well as GuardDog Telehealth) and SelfRx were granted access to Carequality by Unit 387.  
  • Since gaining access to the Carequality framework, SelfRx has taken over 100,000 patient records through Carequality from Epic’s healthcare provider customers (in addition to an unknown number of patient records that were taken from organizations nationwide, including from the VA and providers using other EHRs). 
  • Since gaining access to the Carequality and TEFCA frameworks, CCNC/GuardDog has taken over 52,000 patient records through Carequality from Epic’s healthcare provider customers (in addition to an unknown number of patient records that were taken from organizations nationwide, including from the VA and providers using other EHRs). 

March 2026: Defendant GuardDog Telehealth admits to providing patient records to law firms. 

• On Friday, March 20th, Judge Fernando M. Olguin of the U.S. District Court of the Central District of California entered an injunction order that permanently barred GuardDog from accessing TEFCA and Carequality and required it to delete patient data taken over TEFCA or Carequality. 

• GuardDog admitted that “its goal was to provide chronic care management and remote patient monitoring for patients, but that did not happen. For the duration of its existence, its business instead focused on requesting, reviewing, and summarizing medical records, and providing those medical records to law firms.” GuardDog obtained these records “by asserting a treatment purpose” through Carequality. 

• GuardDog admitted that its predecessor, CCNC, “indirectly accessed the Carequality Framework through Unit 387.” GuardDog further admitted that “Unit 387 informed CCNC that it was permissible for CCNC to indirectly access the Carequality Framework for the purpose of requesting, reviewing, and summarizing medical records and providing those medical records to law firms.”  

• GuardDog further conceded that “Unit 387 was impermissibly holding itself out as CCNC and requesting medical records from the Carequality Framework under the false assertion that those medical records were being requested by CCNC, when the medical records were in fact being requested directly by Unit 387 without CCNC’s knowledge. GuardDog did not discover the full extent of the number of medical record requests made by Unit 387 under CCNC’s credentials without CCNC’s knowledge or permission until 2025.”  

June 2026: Despite more than 100,000 patient records being taken using SelfRx’s Carequality directory entry, SelfRx CEO and Founder signs sworn declaration stating that SelfRx “requested medical records for only 21 patients” and “I do not know who took those over 100,00 patient records.”  

• SelfRx’s connection to Carequality was supposed to be governed by the Carequality Connection Terms (CCT). But as the SelfRx CEO attested, “to the best of my knowledge and recollection, neither Unit 387 nor Health Gorilla had SelfRx execute the CCT to participate in the Carequality framework nor did SelfRx otherwise execute the CCT.” 

• “SelfRx requested medical records for only 21 patients and received records for 15 of those patients, for a total record count of fewer than 100 records for these 15 patients (a single patient can have more than one record).”  

• Other than these requests, “SelfRx was not knowingly involved in and had no knowledge of any other patient record requests through the Carequality framework.” 

• “SelfRx never provided authority or permission to Meredith Manak, Unit 387, Health Gorilla, or any other entity or person to request patient records from the Carequality framework on SelfRx’s behalf.” 

You can find a copy of the publicly filed declaration here.