A telehealth organization admitted in a legal filing that it accessed patient medical records under false pretenses in order to share the sensitive information with law firms. According to a lawsuit filed in January, the organization GuardDog Telehealth claimed to need the data for treatment purposes. However, the information accessed was instead sold. The lawsuit claims that in some instances, the data was sold to attorneys seeking clients with specific injuries.  

As reported by Reuters, the company allegedly “exploited systems” that share patient medical records across healthcare providers. Epic, one of the plaintiffs in this case, asserts that GuardDog Telehealth, Health Gorilla and other companies utilized “sham healthcare providers” to request records. 

The public filing states, “GuardDog admits that, since it began operating as a company in 2024, its goal was to provide chronic care management (“CCM”) and remote patient monitoring (“RPM”) for patients, but that did not happen. For the duration of its existence, its business instead focused on requesting, reviewing, and summarizing medical records, and providing those medical records to law firms.” 

Already, healthcare entities are feeling the repercussions of this alleged data privacy breach. The University of Pittsburgh Medical Center (UPMC) released a statement informing patients of the potential breach of their data after Health Gorilla requested records “under the pretext of providing treatment to shared UPMC patients” and asserting “it had permission to do so.” 

According to UPMC, compromised information may include: 

• Names
• Ages
• Medical diagnoses
• Medical history 

At this time, the case is continuing against Health Gorilla and other defendants.