What Happened at UPMC?
A major patient data incident is unfolding at UPMC, one of Pittsburgh’s largest health systems. UPMC is warning that some patients’ medical records may have been improperly accessed after an alert from a vendor connected to a national health data-exchange network. The health system has since begun notifying affected individuals and alerting federal authorities.
This disclosure has raised serious concerns about the security of national health information exchange systems — and about how patient data moves across healthcare networks without adequate safeguards.
How Health Gorilla Gained Access
At the center of this incident is a company called Health Gorilla. A health information network improperly tapped into UPMC patient records by falsely claiming authorization through a national medical data exchange. Specifically, certain participants of this network electronically requested information under the pretext of providing treatment to shared UPMC patients and claimed they had permission to do so.
The Role of Epic Systems
UPMC learned of the breach through Epic, its EHR vendor, which flagged that a network called Health Gorilla had requested patient data under the guise of coordinating care for mutual patients. Epic’s alert was the first signal that something was wrong — and it triggered an immediate investigation by UPMC officials.
Why UPMC Could Not Simply Opt Out
Importantly, UPMC had no choice but to participate in the exchange network. Because participation in the national exchange network is mandatory for health systems such as UPMC, patient records are accessible to other providers through the platform — a requirement that in this case may have been exploited. This detail is critical. It means that even compliant health systems can become victims when third parties abuse shared infrastructure.
What Patient Data Was Exposed?
Patients are understandably anxious about what information was accessed. Fortunately, the most sensitive financial identifiers appear to be safe. Patient Social Security numbers were not among the potentially exposed data. However, names, ages, diagnoses, and medical histories may have been compromised.
Why Medical Data Still Matters
Even without Social Security numbers, this type of exposure is serious. Medical history and diagnosis data can be used to target individuals for litigation marketing, insurance fraud, and other predatory practices. Therefore, patients should not dismiss this incident simply because financial data was not involved.
The Epic Systems Lawsuit Explained
This UPMC disclosure does not exist in isolation. It connects to a much larger legal battle. Two months before UPMC’s disclosure, Epic and several health systems filed a federal lawsuit against Health Gorilla in January, accusing the company of fraudulently accessing and monetizing sensitive patient records through national health information exchange frameworks.
Scale of the Alleged Misconduct
Epic’s lawsuit alleges fraud and breach of contract by Health Gorilla’s customers, who requested and accessed health records under the guise of being healthcare providers and then used the records for financial gain instead of providing treatment. The scale is alarming. The lawsuit claims nearly 300,000 patient records managed by Epic were improperly accessed.
How the Records Were Allegedly Misused
The records were then allegedly rerouted to mass tort litigation marketing services, allowing law firms to identify potential plaintiffs based on diagnoses. In other words, sensitive medical conditions were turned into a tool for legal recruitment — entirely without patient knowledge or consent.
Health Gorilla’s Response
Health Gorilla has pushed back on these allegations. The company said it “vehemently” denies the allegations, calling the lawsuit “yet another example of Epic’s exclusionary actions that limit competition and restrict access to health care data.” Additionally, a Health Gorilla spokesperson stated the company “has never and will never sell user data” and said it acted immediately when concerns were raised, suspending the connections in question.
How UPMC Is Responding
UPMC moved quickly once it received Epic’s alert. The Pittsburgh health system said it is notifying people who might be affected and has already contacted federal regulators. Specifically, UPMC has reported the matter to the HHS Office for Civil Rights, which oversees HIPAA compliance and patient privacy enforcement.
Furthermore, UPMC has set up direct resources for concerned patients. The system has set up a dedicated phone line for questions at 1-855-460-8762. Patients who believe they may be affected are encouraged to use this line to seek guidance.
What Affected Patients Should Do Now
If you are a UPMC patient, here are practical steps to take right now:
- Call the dedicated helpline at 1-855-460-8762 for direct answers about your records.
- Monitor your health insurance statements for any unexplained claims or services you did not receive.
- Stay alert for suspicious communications that reference your medical history or diagnoses.
- Document any concerns and report them to both UPMC and your insurance provider.
- Review your rights under HIPAA, which entitles you to know when and how your records have been accessed.
Taking these steps early can help limit any potential harm resulting from unauthorized data access.
Why This Breach Raises Bigger Concerns
Beyond UPMC, this incident highlights a fundamental vulnerability in the U.S. health data exchange system. The defendants allegedly exploited two national interoperability frameworks — Carequality and the Trusted Exchange Framework and Common Agreement (TEFCA) — which allow healthcare providers to exchange patient records for legitimate treatment purposes.
These frameworks exist to help patients receive coordinated care across providers. However, the UPMC case shows that bad actors can exploit the same systems. Moreover, the complaint alleges that Health Gorilla failed to uphold its contractual responsibilities to verify the legitimacy of entities before allowing access to sensitive patient data, and that it ignored red flags raised by providers.
As healthcare becomes increasingly digital, the integrity of these exchange networks will determine whether patients can trust the system with their most private information. Regulators, health systems, and technology vendors must act together to close these gaps before more patients are harmed.
