U.S. hospital warns of possible Health Gorilla data breach

PENNSYLVANIA, UNITED STATES — A leading United States health system has warned that patient records may have been improperly accessed through a third-party data exchange, raising fresh concerns about oversight and governance in the nation’s rapidly expanding health data ecosystem.

According to a report from Trib Live, UPMC said its medical records may have been accessed by Health Gorilla under questionable circumstances, potentially exposing sensitive patient information such as names, ages, diagnoses and medical histories. 

The system clarified that Social Security numbers were not involved and that affected patients are being notified, while the incident has been reported to the United States Department of Health and Human Services.

Health Gorilla requested data “under the pretext of providing treatment to shared UPMC patients and claimed it had permission to do so,” according to a statement from UPMC.

Governance gaps—not outsourcing—at center of dispute

The case is unfolding alongside a lawsuit filed by Epic Systems, which alleges Health Gorilla and several clients improperly accessed and monetized nearly 300,000 patient records. 

According to the complaint, the data was sold to attorneys pursuing class-action cases tied to specific diagnoses. Health Gorilla has denied the allegations.

For hospitals and health systems, the dispute underscores a critical distinction: the issue lies less with data sharing or outsourcing itself, and more with how access is governed and verified across national data exchanges.

Exchanges like Health Gorilla are designed to vet and authorize requests for patient data to ensure continuity of care. 

However, the allegations suggest weaknesses in enforcing “purpose-of-use” rules—particularly when third parties claim treatment-related access without sufficient validation.

By contrast, established healthcare outsourcing providers particularly in revenue cycle management, coding and care coordination—typically operate with stricter safeguards. These include clearly defined delivery centers, role-based access controls, and continuous audit trails that track who accessed data and why.

A checklist for safer data partnerships

The incident is likely to prompt U.S. providers to tighten vendor oversight, especially as reliance on third parties grows. Health systems should require vendors to meet baseline standards: named onshore or offshore delivery sites, documented purpose-of-use for every data request, and centralized logging with anomaly detection.

These practices are already standard among leading healthcare BPO firms, which must comply with stringent contractual and regulatory requirements. In contrast, the lawsuit alleges that some entities linked to the case cycled through new companies when access was cut off—highlighting risks tied to opaque intermediaries.

For healthcare providers, the episode reinforces a broader lesson: as data-sharing networks expand, the greatest vulnerabilities may lie not in regulated outsourcing partners, but in poorly governed data exchanges operating with limited transparency.