Lawsuit exposes hidden market for U.S. medical record
WASHINGTON, UNITED STATES — A federal lawsuit brought by Epic — the nation’s largest medical records vendor — and a group of United States health providers alleges that companies posing as healthcare providers exploited the country’s medical records exchange network to harvest and sell hundreds of thousands of patient files.
According to a report from The Washington Post, an estimated 300,000 patients are caught in the alleged scheme, with no hacking required. Instead, the companies allegedly walked through the front door of the network designed to let hospitals and doctors share patient data nationwide.
For hospital executives, the case exposes a structural vulnerability that ransomware insurance and firewalls can’t fix.
How the system was allegedly exploited
The U.S. medical records exchange network runs through fewer than a dozen technology businesses that serve as “on-ramps” for hospitals, clinics and labs sharing patient data. Those on-ramp companies vet their own clients — and that’s where the system allegedly broke.
“What these bad actors are saying is, ‘Oh cool, there’s an open door, and I will claim, for some nefarious purpose, that this is for care and treatment,'” said Aaron Miri, chief technology officer at Baptist Health in Jacksonville, Florida.
The financial incentive is clear. Patient medical records sell for hundreds of dollars on the dark web, compared to as little as $10 for a stolen credit card, because medical histories can’t be changed like a card number.
Epic alleges that companies sold records to law firms hunting for class-action plaintiffs — and tried to cover their tracks by sending fake treatment notes back to patients’ health systems, where they linger in records and risk affecting future care.
What this means for U.S. hospitals and clinics
Seventy-five hospitals and provider companies have called on the Sequoia Project, the contractor governing much of the records exchange, to adopt tougher vetting standards.
The Trump administration says it’s “actively exploring options to layer in more network oversight and network participant audits.” Sen. Bill Cassidy (R-Louisiana), chair of the Senate HELP Committee, is pushing legislation to expand HIPAA’s reach.
“HIPAA is clearly outdated and ill-equipped to safeguard data in the 21st century,” Cassidy said.
For hospitals already stretched thin, the compliance burden is mounting fast. Vetting third-party data requests, monitoring records exchange activity, auditing patient consent forms and managing breach response now require specialized expertise most providers lack in-house.
That’s why more U.S. health systems are turning to outsourcing partners for medical records management, HIPAA compliance support, data security operations and back-office workflows — protecting patient trust while keeping clinical teams focused on care.
