What Happened at Michigan Medicine
Michigan Medicine is notifying approximately 551 patients about a serious privacy incident. The Ann Arbor-based academic medical center confirmed that unauthorized third parties accessed patient medical records through a national health information exchange. The breach came to light after EHR vendor Epic flagged unusual activity tied to the requests.
This incident raises urgent questions about the security of shared health data networks — and the role EHR vendors play in detecting threats before health systems even know they exist.
How Epic Detected the Unauthorized Access
Epic’s Early Warning on January 13
On January 13, Epic alerted Michigan Medicine to suspicious activity linked to third-party companies requesting patient records. The health system then launched an internal review to determine the scope of the problem. That review revealed that unauthorized access likely occurred between March 12 and March 25, 2026. However, the underlying activity stretched back much further — from October 18, 2023, through November 12, 2025.
Why the Timeline Matters
The extended window of potential exposure is significant. Over more than two years, bad actors may have repeatedly pulled patient records without detection. Moreover, no treatment-related reason could be confirmed for many of these requests, which further suggests improper intent. Michigan Medicine publicly disclosed the incident through a May 1 news release.
What Patient Data Was Compromised
The compromised records potentially included a range of sensitive personal and clinical details. Specifically, the exposed information covered:
- Demographic details — names, addresses, and dates of birth
- Clinical data — diagnoses, medications, and laboratory or test results
- Health insurance information
Notably, Social Security numbers and financial data were not part of the breach. As a result, Michigan Medicine believes the risk of identity theft or medical fraud remains low. Nevertheless, the exposure of clinical data still carries meaningful privacy risks for affected individuals.
The Federal Lawsuit Against Health Gorilla
Epic Takes Legal Action
In January 2026, Epic filed a federal lawsuit in the U.S. District Court for the Central District of California. The defendants include Health Gorilla and several other parties. According to the lawsuit, these companies gained access to patient records by impersonating legitimate healthcare providers. They allegedly used fictitious websites, shell companies, and fraudulent provider credentials to slip past verification systems.
Health Gorilla Denies the Allegations
Health Gorilla pushed back swiftly. The company told Becker’s Hospital Review that it “vehemently” denies the allegations. Despite that denial, Epic’s lawsuit links Health Gorilla’s alleged activity directly to the suspicious requests that triggered the Michigan Medicine investigation. The litigation remains ongoing, and Michigan Medicine says it is actively coordinating with regulators as the case develops.
UPMC Faces a Similar Incident
Michigan Medicine is not alone. Pittsburgh-based UPMC received a similar alert from Epic in March 2026. In that case, Epic alleged that Health Gorilla requested patient data under the pretense of coordinating care for shared patients. Health Gorilla denied those allegations as well, calling them “yet another example of Epic’s exclusionary actions.” Consequently, the pattern across two major health systems suggests a broader, systemic threat rather than an isolated event.
What Affected Patients Should Do Now
Michigan Medicine began mailing notifications to affected patients on May 1. Beyond notification, the health system is offering practical guidance to help patients protect themselves. Here are the key steps patients should take:
- Review your insurance statements carefully for services you do not recognize
- Watch for unusual medical bills or explanation-of-benefits documents from your insurer
- Follow Michigan Medicine’s identity theft guidance, which accompanies the notification letter
- Contact Michigan Medicine directly if you have questions about whether your records were accessed
Additionally, patients should stay alert to any suspicious communications — particularly phishing emails or calls that reference their healthcare provider or insurance details.
What This Means for Healthcare Data Security
EHR Vendors as Security Monitors
This incident highlights an evolving and important role for EHR vendors like Epic. Rather than simply storing records, these platforms now actively monitor access patterns across large networks. Their ability to flag anomalies early — as Epic did in January — can significantly limit the damage caused by bad actors.
Health Information Exchanges Carry Inherent Risks
At the same time, this case exposes a structural vulnerability in health information exchange networks. These networks enable faster, more coordinated care. Yet, they also create access points that fraudulent actors can exploit if verification systems are not robust enough. As a result, healthcare organizations must strengthen credential-verification protocols for all third-party data requests.
Regulatory Scrutiny Will Likely Increase
Michigan Medicine is already coordinating with regulators. Furthermore, the dual incidents at Michigan Medicine and UPMC are likely to draw wider attention from federal oversight bodies. HIPAA enforcement actions, combined with Epic’s ongoing litigation, could accelerate industry-wide reform of how health information exchanges vet and monitor third-party access.
