Health Data Network Fires Back in Interoperability Dispute

CORAL GABLES, FL – March 20, 2026 – In a significant move to control a damaging narrative, health data intermediary Health Gorilla has released a trove of internal documents and communications aimed at demonstrating it was misled by a key business partner. The company asserts that GuardDog Telehealth consistently misrepresented its data access needs as being for "treatment purposes," a claim now at the heart of a high-stakes legal battle with electronic health record giant Epic Systems.

The public defense comes just weeks after GuardDog Telehealth entered into a consent judgment with Epic, admitting that its primary business involved providing patient records to law firms, not the chronic care management it had purportedly pitched. Health Gorilla, which remains a defendant in Epic's lawsuit, is now fighting to distance itself from its former partner's actions, arguing it was a victim of deception, not a willing accomplice.

A Partnership Under Scrutiny

The controversy stems from a federal lawsuit filed by Epic Systems and a consortium of healthcare providers, which alleges that Health Gorilla enabled GuardDog and other entities to improperly access and monetize patient health information. The suit claims these companies exploited national interoperability frameworks, like Carequality and the newly established Trusted Exchange Framework and Common Agreement (TEFCA), by falsely claiming a "treatment" relationship with patients to pull their records.

In its recent settlement, GuardDog Telehealth acknowledged that its stated goal of providing remote patient monitoring "did not happen." Instead, its business model pivoted to reviewing medical records for law firms. The consent judgment, if approved, would permanently ban GuardDog from accessing data through the national networks.

This settlement left Health Gorilla, a designated Qualified Health Information Network (QHIN) under TEFCA, in a precarious position. The lawsuit alleges the company conducted "little to no vetting" of its clients, effectively opening the door for misuse of the system. Health Gorilla vehemently disputes this, and its latest move is a direct counter-offensive.

"As Ms. Hanna confirms, GuardDog repeatedly asserted it was engaged in treatment purpose queries," stated Bob Watson, Chairman & CEO of Health Gorilla, in a press release. He was referring to a statement from GuardDog's co-owner, Justine Hanna, who, despite the settlement, maintained her company's belief that its actions fell under treatment. Watson added, "The case study Health Gorilla is releasing confirms that GuardDog’s consent judgment... does not provide a complete picture of the facts."

An Arsenal of Evidence

To bolster its claims of good faith, Health Gorilla has made public a 2025 case study it co-developed with GuardDog. The marketing document reportedly outlines GuardDog's services as a telehealth provider focused on clinical care delivery, chronic condition management, and care coordination.

Beyond the case study, Health Gorilla claims to possess a substantial evidence locker, including recordings from 21 separate meetings held between July 2024 and November 2025, alongside a multitude of emails. The company states that in these communications, GuardDog representatives consistently described workflows where clinicians would use patient records to develop treatment plans and conduct ongoing monitoring. Health Gorilla's position is clear: it provides the secure infrastructure for data exchange but does not access or review the patient information itself, relying on the attestations of its partners.

Further complicating the narrative is the statement from GuardDog's co-owner. "To be clear, GuardDog always believed and continues to maintain that its services were for treatment purposes, including when GuardDog sent records to law firms," Justine Hanna said. She noted that patients provided HIPAA authorizations, and the company believed the record queries were to assist in treatment. Health Gorilla has seized on this, arguing it validates their reliance on GuardDog's representations.

The Blurring Lines of 'Treatment'

This case throws a harsh spotlight on the critical, and at times ambiguous, definition of "treatment" under federal regulations. Under the Health Insurance Portability and Accountability Act (HIPAA), "treatment" is broadly defined to include the provision, coordination, and management of healthcare. This broad definition is designed to facilitate the flow of information necessary for quality care without creating undue administrative burdens.

TEFCA, the framework under which Health Gorilla operates as a QHIN, also permits data exchange for treatment, aligning its definition closely with HIPAA's. The entire system of trust is built on participants accurately attesting to their purpose for requesting data. Activities like providing records to law firms for mass tort litigation, even with patient consent, are generally considered outside the scope of "treatment" as envisioned by these interoperability frameworks.

Industry experts suggest the lawsuit highlights a critical vulnerability in the digital health ecosystem. While technology has enabled seamless data exchange, the governance and auditing mechanisms to ensure that exchange is appropriate have lagged. The case raises the question of a QHIN's ultimate responsibility: is it merely a conduit that must trust its partners, or is it a gatekeeper required to perform deep, forensic vetting of every client's business model?

A Crisis of Trust for Interoperability

The fallout from the GuardDog scandal extends far beyond the companies involved. The allegations have sent a chill through the healthcare industry, threatening to erode trust in the very interoperability initiatives designed to improve patient care. Some healthcare providers have reportedly considered limiting their participation in national data exchanges out of fear that their patients' data is not secure.

Epic's lawsuit characterized the alleged scheme as a "Hydra," where shutting down one bad actor only causes others to appear. This framing suggests a systemic problem that requires more than just self-policing. For its part, Health Gorilla has painted the lawsuit as an "attack on interoperability" by a market incumbent seeking to stifle competition and control data access.

As the legal proceedings against Health Gorilla continue, the entire health-tech industry watches closely. The outcome could set a powerful precedent for the responsibilities of data intermediaries, redefine the operational security required for network participation, and ultimately determine the future architecture of trust in the nationwide health information ecosystem.