A Health Data Lawsuit Puts Interoperability on Trial

A dispute over nearly 300,000 health records is forcing tougher oversight as TEFCA-driven data sharing expands nationwide

2 Feb 2026

A lawsuit over the sharing of patient health records is prompting closer scrutiny of how data is governed as interoperability becomes routine across the US healthcare system.

The dispute centres on Health Gorilla, a large health data exchange network, and a group of healthcare organisations led by Epic Systems. Other plaintiffs include OCHIN, Trinity Health, UMass Memorial Health and Reid Health. They allege that almost 300,000 patient records were accessed in ways that went beyond agreed limits.

The lawsuit claims the data may also have been used for monetisation or marketing-related purposes, intensifying concerns about consent, transparency and control once information is shared. Health Gorilla has denied the allegations, saying it has acted within federal rules. The company says it has suspended certain connections while the issues are reviewed.

The case has drawn attention because it involves the infrastructure that underpins modern interoperability. Health Gorilla participates in national exchange frameworks such as the Trusted Exchange Framework and Common Agreement, known as TEFCA, and Carequality, which are designed to allow health data to move securely between organisations. These initiatives are central to federal efforts to reduce fragmentation, improve care coordination and give patients easier access to their records.

The timing is significant. Interoperability is no longer a policy aspiration but an operational requirement, driven by regulation, value based care models and patient demand. While the technical barriers to moving data have largely been overcome, the rules governing how shared information can be reused, audited or restricted are still evolving.

Epic’s involvement reflects a longer running debate within the industry. Large vendors and health systems have argued that broad data exchange without clear guardrails can expose providers to legal and reputational risks. Others warn that tighter controls could slow innovation and weaken national interoperability goals.

The implications extend beyond the courtroom. Data networks are expected to respond by strengthening oversight, improving transparency and giving providers clearer insight into how their data is used once exchanged. Although this may add complexity, proponents argue it could also reinforce trust and support wider participation.

As interoperability enters a more mature phase, the case highlights a shift in focus. Speed and scale remain important, but clarity, accountability and trust are becoming just as central to the system’s next stage of development.