Epic Systems Corporation is a major American health information technology company. It develops electronic health records (EHR) software – the systems hospitals and clinics use to store and manage patient medical records. They are the dominant EHR vendor in the United States. Over 1,900 hospitals and 49,000 clinics use Epic’s EHR software. Their Care Everywhere interoperability tool exchanges over 20 million patient records daily.
On January 13, 2026, Epic Systems Corporation and four healthcare system co-plaintiffs (OCHIN, Reid Health, Trinity Health, and UMass Memorial Health) filed a landmark lawsuit in the Central District of California targeting an alleged syndicate of companies that fraudulently extracted hundreds of thousands of patient medical records from national health data exchange networks – not to treat patients, but to allegedly sell those records to mass tort law firms.
The defendants allegedly gained access to the Carequality and TEFCA interoperability frameworks – systems that collectively facilitate over one billion patient record exchanges monthly – by falsely claiming to be healthcare providers retrieving records for treatment purposes. In reality, according to the complaint, the records were being harvested and sold to plaintiff attorneys for use in identifying and recruiting clients for mass tort lawsuits, including PFAS “forever chemical” litigation and other class actions.
No law firms are named as defendants – the complaint stops at the companies allegdly selling records to attorneys (LlamaLab, Hoppr, NHPC), not the firms buying them. However, the complaint is unusually detailed about the commercial relationship: LlamaLab advertised at Mass Torts Made Perfect, Hoppr pitched personal injury attorneys directly, and the Integritort predecessor was caught on video demonstrating live record retrieval to a “law firm lead generation business.”
The complaint is unusually explicit about the role of plaintiff-side attorneys as the downstream buyers of these records. Key details include:
– – LlamaLab, Inc. (New York): Described in the complaint as offering “Same-Day Medical Records Retrieval for Law Firms” and “medical-grade AI analysis tools.” LlamaLab sponsored the October 2025 Mass Torts Made Perfect conference, a major national plaintiff attorney gathering, and exhibited in the medical records category. Its CEO, Shere Saidon, presented its services to class action attorneys at that conference.
– – Hoppr, LLC (Dallas, TX): Founded by Meredith Manak, also the CEO of defendant Unit 387 LLC. Hoppr’s stated business is to “instantly aggregate all patient records” for law firms and insurance companies. Manak gave a September 2025 presentation to personal injury attorneys titled “How to Request and Receive All of Your Client’s Medical Records In Less Than 48 Hours for 1 Low Flat Fee.”
– – PFAS Litigation Targeting: Records returned by RavillaMed to healthcare providers contained no actual treatment information, but instead reorganized existing diagnoses to highlight PFAS (forever chemical) exposure associations — a subject heavily litigated in mass tort court.
– – Nationwide Healthcare Provider Corp (NHPC): Defendant Ryan Hilton of the Mammoth entity group is listed as the NPI owner of NHPC, which markets patient record access directly to attorneys. NHPC’s promotional materials boasted it could pull records “straight from providers’ EHRs” to “representative firms” in “minutes, not weeks.”
On March 13, 2026, plaintiffs and defendant Critical Care Nurse Consultants LLC d/b/a GuardDog Telehealth entered a Stipulated Judgment and Permanent Injunction, the first resolution in the case. Paragraph 5 of that document reads “GuardDog admits that, since it began operating as a company in 2024, its goal was to provide chronic care management (“CCM”) and remote patient monitoring (“RPM”) for patients, but that did not happen. For the duration of its existence, its business instead focused on requesting, reviewing, and summarizing medical records, and providing those medical records to law firms. GuardDog further admits that its predecessor, Critical Care Nurse Consulting LLC (“CCNC”), provided similar services and medical records to law firms between 2022 and 2024;”
This lawsuit represents the first major litigation challenge to what plaintiffs characterize as an organized “Hydra” of entities exploiting health data infrastructure for plaintiff recruitment. Plaintiffs allege that “When caught, rather than stopping their activity, the bad entity owners, operators, and those in their inner circles simply create new companies. The scheme thus operates like a Hydra: when one fraudulent entity is exposed, the bad actors birth a new one. As an example, when concerns were raised to Health Gorilla about one of their connections, an entity called Critical Care Nurse Consulting, over its affiliation with law firms, it abruptly stopped taking patient records via Carequality in September 2024. That very same month, a related organization previously onboarded by Health Gorilla, Defendant SelfRx, began taking large volumes of patient records. Both Critical Care Nurse Consulting and SelfRx are customers of Defendant Unit 387, an intermediary health data broker onboarded by Health Gorilla.”
The case is ongoing. A scheduling conference is set for April 23, 2026, and several defendants (e.g., the Mammoth group) have filed or are briefing motions to dismiss.