It took me a bit to get my head around this one; https://healthapiguy.substack.com/p/epic-v-health-gorilla-a-... has a great alternative breakdown. This is my understanding of the situation; if someone has any corrections, I would love to be enlightened!
Essentially, Epic, a massive healthcare company running the majority of electronic healthcare/medical record systems for hospitals/etc. makes data available to various data brokers, who then subcontract to other healthcare providers. The goal of this subcontracting is that if you e.g. come into an emergency department unconscious, but with identification, doctors can pull data from the broker, solemnly swear that they're treating you, and gain access to your whole medical record. Generally, good actors in this space will seek signed consent paperwork, or have policies in place with narrow carve-outs for emergency access, but there is (to my understanding) not a centralized, standardized system of access request, patient approval, and auditing.
There have been many issues in the past with shady providers who are, indeed, treating the patients, also turning around to sell the data they have to legal firms looking for plantiffs for lawsuits under the guise of "we're helping the patient by potentially giving them access to lawsuits that will advocate for them."
This current lawsuit alleges that the data brokers this time were simply turning a blind eye to completely fraudulent actors who never had the patient under their care, and that their access was knowingly used to bulk-mine patient data for lawsuit opportunities.
jkingsman•1h ago
Essentially, Epic, a massive healthcare company running the majority of electronic healthcare/medical record systems for hospitals/etc. makes data available to various data brokers, who then subcontract to other healthcare providers. The goal of this subcontracting is that if you e.g. come into an emergency department unconscious, but with identification, doctors can pull data from the broker, solemnly swear that they're treating you, and gain access to your whole medical record. Generally, good actors in this space will seek signed consent paperwork, or have policies in place with narrow carve-outs for emergency access, but there is (to my understanding) not a centralized, standardized system of access request, patient approval, and auditing.
There have been many issues in the past with shady providers who are, indeed, treating the patients, also turning around to sell the data they have to legal firms looking for plantiffs for lawsuits under the guise of "we're helping the patient by potentially giving them access to lawsuits that will advocate for them."
This current lawsuit alleges that the data brokers this time were simply turning a blind eye to completely fraudulent actors who never had the patient under their care, and that their access was knowingly used to bulk-mine patient data for lawsuit opportunities.