UPMC says its medical records may have been improperly accessed by Health Gorilla, a patient data gatekeeper accused in federal court of mismanaging sensitive information.
Health Gorilla requested data “under the pretext of providing treatment to shared UPMC patients and claimed it had permission to do so,” according to a brief statement from UPMC on Friday. The health system didn’t immediately return a request for further comment.
Compromised information could include the ages, names, diagnoses and medical histories of patients, but not their social Security numbers. UPMC is alerting anyone potentially impacted. The organization has also reported the incident to the U.S. Department of Health and Human Services.
Exchanges like Health Gorilla vet requests to view patient records. These federally regulated intermediates are meant to protect sensitive data while allowing for continuity of care between health systems.
Records platform Epic, which is used by UPMC and most other major health systems, sued Health Gorilla and several of its clients in January for improperly retrieving and monetizing nearly 300,000 patient records.
This data was sold to attorneys assembling class-action lawsuits for specific medical diagnoses, according to a complaint filed in federal court in California.
Health Gorilla denies the accusations.
One of the defendants, GuardDog Telehealth, admitted Friday to fraudulently pulling patient information and agreed with Epic to severely limit its access to medical records.
“GuardDog’s consent judgment has no legal impact on Health Gorilla, and is incomplete at best and misleading at worst,” Health Gorilla said in a statement Friday.