Abstract

Epic Systems’ January 2026 lawsuit against Health Gorilla and affiliated entities alleges systematic fraud in healthcare interoperability networks, claiming defendants falsely asserted treatment purposes to access patient records that were then monetized for mass tort litigation. While these remain unproven allegations in active litigation, they expose potential structural vulnerabilities in TEFCA and Carequality frameworks that currently rely on trust and self-policing without systematic verification. If even a fraction of the alleged misconduct proves accurate, regulatory response becomes likely. This analysis examines how such response might create demand for purpose-of-use auditing services analogous to Medicare Advantage risk adjustment validation, explores what such a market could look like, and develops a conceptual business case for technology-forward entrants. Market sizing and projections are necessarily speculative given the nascent nature of this potential opportunity.

What the Epic Complaint Actually Alleges

The January 13, 2026 complaint filed in Central District of California makes sweeping fraud allegations against multiple defendants. These are allegations in active litigation, not established facts. Defendants will present their own evidence and interpretations. That caveat is critical for everything that follows.

Epic alleges that Health Gorilla, operating as both a Carequality Implementer and TEFCA QHIN, onboarded entities claiming treatment purposes for accessing patient records when their actual purposes were non-treatment commercial exploitation. The complaint names three primary defendant groups beyond Health Gorilla: RavillaMed and affiliated entities, Mammoth and affiliated entities, and Unit 387 with its downstream connections.

According to the complaint, RavillaMed joined Carequality in August 2024 through implementer Metriport, pulled 32 records, then was quickly removed after Metriport grew suspicious. Health Gorilla then onboarded RavillaMed to both Carequality and TEFCA in October 2024 despite this red flag being potentially visible. From October 2024 through December 2025, RavillaMed allegedly accessed over 42,000 patient records from Epic customers alone, claiming treatment purposes for all requests.

The complaint alleges RavillaMed is closely connected to LlamaLab, a company that openly markets same-day patient record retrieval for law firms. Evidence cited includes RavillaMed owner Dr. Avinash Ravilla being listed on LlamaLab’s website as Chief Medical Officer, Ravilla’s wife working as LlamaLab’s Director of Medical Records, and LlamaLab CEO Shere Saidon participating in RavillaMed’s technical onboarding meetings with implementers. The complaint characterizes returned documentation as clinically useless, organized by PFAS exposure markers relevant to litigation rather than treatment.

For Mammoth entities, the complaint alleges they accessed over 140,000 records from Epic customers while returning blank or minimally useful clinical documentation. The complaint highlights connections to Daniel Baker, who the complaint notes pleaded guilty to federal conspiracy to defraud charges in 2014 in the Central District of California and was CEO of Integritort, which Carequality banned in October 2024 for non-treatment data access. The complaint alleges Baker co-founded Mammoth Rx and serves as CTO despite sworn statements from Mammoth CEO Ryan Hilton denying Baker’s involvement.

Unit 387 and its downstream connections SelfRx and GuardDog allegedly show similar patterns. The complaint notes SelfRx went from single-digit monthly queries to 17,000 in December 2024. GuardDog’s authorized official also founded Mass Tort Medical Consultants. Unit 387’s CEO Meredith Manak also founded Hoppr, which markets instant patient record access to law firms and insurance companies.

The complaint presents exchange pattern data showing non-reciprocal flows where defendants pulled far more records than they returned, volume spikes inconsistent with normal treatment patterns, and returned documentation lacking clinical content. These patterns allegedly indicate non-treatment purposes despite treatment attestations.

Health Gorilla allegedly failed to adequately vet these connections before onboarding and defended them when Epic raised concerns rather than investigating. When presented with evidence of problems, Health Gorilla allegedly provided explanations Epic characterizes as false, such as claiming record spikes were technical glitches causing duplicate requests.

Again, these are allegations. Health Gorilla and the other defendants will dispute these characterizations. They may present evidence showing their connections did provide legitimate treatment, that exchange patterns have innocent explanations, or that documentation Epic characterizes as junk actually reflects valid clinical practices. Sworn statements from defendants denying misconduct suggest vigorous defense is coming. The litigation will take years to resolve.

Why Trust-Based Systems Fail Without Verification

Setting aside whether Epic’s specific allegations prove accurate, the complaint highlights a structural governance question in healthcare interoperability. Both TEFCA and Carequality operate on distributed trust models where implementers and QHINs vet their connections, and framework operators provide governance infrastructure but don’t independently verify each participant.

This approach has legitimate rationale. Carequality has over 100,000 connections with hundreds of changes daily. TEFCA is growing toward similar scale. Central verification of every participant and every query would be operationally impossible and prohibitively expensive. The frameworks instead establish contractual obligations, require implementers to flow down these obligations to connections, and provide dispute resolution when problems arise.

But this creates obvious misaligned incentives. Implementers and QHINs generate revenue from connections and transaction volumes. Every additional connection means more revenue. Thorough vetting costs money and delays revenue generation. Removing problematic connections after onboarding reduces revenue. Absent external pressure, the rational economic choice is minimal vetting and maximum tolerance for questionable connections.

Framework operators like Carequality and TEFCA’s RCE face resource constraints. Carequality is administered by the Sequoia Project with limited staff managing massive connection populations. Systematic audit of participant behavior isn’t within their operational model or budget. TEFCA similarly relies on QHINs to police their own participants.

Participating providers lack real-time fraud detection capability. When a query arrives asserting treatment purpose, EHR systems automatically respond without human review. Providers might notice suspicious patterns retrospectively if they analyze logs, but most lack resources for such analysis. Even Epic, with significant technical sophistication, relied on customer complaints to initially flag concerns before conducting deeper analysis.

This combination creates what economists call a market failure. The parties best positioned to prevent fraud have minimal incentive to do so. The parties harmed by fraud have limited detection capability. Framework operators lack resources for systematic policing. Bad actors can exploit these gaps if willing to lie about purposes.

Whether the exploitation is as widespread as Epic alleges remains to be proven. But the structural vulnerabilities exist regardless. Even if Epic’s specific defendants are innocent, the framework design creates opportunities for future bad actors. Some level of systematic verification beyond self-attestation seems necessary for long-term framework viability.

The RADV Precedent and Its Applicability