Electronic health record lawsuits are a growing category of legal cases that challenge how hospitals, health systems, and EHR companies handle patient data, control access to medical information, and compete in the healthcare technology market. These cases represent a collision between rapid digital health adoption and longstanding patient rights—when the convenience of digital records clashes with privacy breaches, unauthorized data sales, or deliberate restrictions on who can access medical information. In January 2026, Epic Systems and five major health systems filed suit against Health Gorilla and associated data companies for allegedly accessing and monetizing approximately 300,000 patient medical records without authorization, then selling that data to law firms. This case exemplifies a broader pattern: as EHRs have become central to American healthcare, the legal system is catching up to regulate how patient data moves through these systems and who profits from it. EHR lawsuits fall into several distinct categories.
Some target data breaches and unauthorized access—patients whose medical records were stolen or improperly shared. Others challenge monopolistic practices by dominant EHR vendors, particularly Epic Systems, which controls approximately 40 percent of the U.S. EHR market. Still others focus on specific design choices, like MyChart’s automatic restrictions on parental access to children’s medical records after age 12, which Texas alleged constitutes unlawful data gatekeeping. A fourth category involves emerging technology concerns: recent lawsuits allege hospitals use AI-powered medical transcription without proper patient consent. These cases matter because they affect not just individual patients seeking compensation, but the fundamental rules governing how health data is stored, accessed, and commercialized.
Table of Contents
- What Are the Major Electronic Health Record Lawsuits Currently in Court?
- Data Breaches and Unauthorized Access in EHR Systems
- Data Gatekeeping and Parental Access Restrictions
- Antitrust Challenges to Epic’s Market Dominance
- AI Recording in Healthcare Encounters Without Clear Consent
- Settlement Outcomes and Patient Compensation
- Regulatory Landscape and Future Outlook
- Conclusion
What Are the Major Electronic Health Record Lawsuits Currently in Court?
The most significant recent EHR case is the Epic v. Health Gorilla lawsuit filed on January 12, 2026, in federal court. Epic Systems, Reid Health, Trinity Health, UMass Memorial Health, and OCHIN jointly sued Health Gorilla—a company that provides data aggregation and patient record access tools—along with associated data companies. The lawsuit alleges that Health Gorilla and its partners fraudulently accessed medical records for approximately 300,000 patients and then sold that data to law firms without patient knowledge or consent. Epic claims this wasn’t a one-time breach but a deliberate, ongoing business model: extracting health data and monetizing it through third parties. The stakes are high because if proven, the case could establish that EHR intermediaries cannot simply treat patient data as a commodity to buy and sell.
A parallel but distinct case emerged in December 2025, when Texas Attorney General Ken Paxton filed an antitrust lawsuit against Epic Systems itself in Tarrant County District Court. Texas alleges that Epic monopolizes the EHR market and uses that dominance to gate-keep patient data and restrict parental access to children’s medical information. Specifically, Texas claims that Epic’s MyChart system automatically limits parental proxy access when a child reaches age 12, hiding medication lists, treatment notes, and provider messages from parents. This case reframes the issue: rather than focusing on data breaches by bad actors, it positions Epic’s own design choices as anti-competitive gatekeeping. The filing represents a significant government challenge to Epic’s market dominance and its control over patient data access pathways. For patients, the implication is striking—the state argues that Epic’s software design choices are restricting access to medical information in ways that benefit Epic financially but harm patients and their families.
Data Breaches and Unauthorized Access in EHR Systems
Beyond the deliberate data sales alleged in the Health Gorilla case, EHR systems have proven vulnerable to breaches that expose patient information to criminals and bad actors. The RXNT data breach, confirmed on April 17, 2026, illustrates this vulnerability. RXNT is a prescription software used by healthcare providers nationwide. Attackers gained unauthorized access to patient names, dates of birth, addresses, contact information, and patient IDs. The breach demonstrated a critical weakness: even specialized medical software—not just general hospital networks—can be compromised, and when breached, it exposes sensitive health identifiers that patients need to function in healthcare systems. RXNT patients had no control over this breach; they simply discovered their data had been stolen. The challenge with EHR security is the fundamental tension between access and protection.
EHRs exist to make patient information available to authorized users—doctors, nurses, pharmacists, specialists. But that same accessibility makes data attractive to thieves. Healthcare organizations have struggled to implement adequate security controls without slowing legitimate clinical work. Many breaches stem not from sophisticated hacking but from simple negligence: unencrypted devices, weak passwords, poor access controls, or employees fooled by phishing attacks. Patients have little visibility into these security practices; they place trust in health systems and EHR vendors to protect their data without clear standards for what “adequate protection” means. Unlike financial institutions, healthcare has no equivalent to FDIC insurance or fraud liability protections that would compensate patients when their data is breached. This asymmetry—patients bear the risk, but have no legal recourse—motivates many lawsuits in this space.
Data Gatekeeping and Parental Access Restrictions
One of the most contentious EHR lawsuit issues is Epic’s MyChart default settings regarding parental access to children’s medical records. Under Epic’s system, when a child turns 12, the default setting automatically restricts parental proxy access. Parents can no longer see medication lists, treatment notes, or messages from providers—the assumption being that adolescents deserve privacy from their parents. The system does allow parents to request access or teenagers to grant access, but the default is lockdown. Texas argues this default represents unlawful data gatekeeping and anti-competitive behavior. The state’s concern is not that teenagers deserve privacy—that’s a legitimate clinical policy question—but that Epic unilaterally decided to restrict access in a way that advantages its own business interests and disadvantages competitors.
The Texas lawsuit specifically notes that the Austin Diagnostic Clinic settled with the state by restoring full parental proxy access for children aged 12 to 17, establishing that at least one health system found this restriction problematic and unacceptable. The significance of this restriction extends beyond parental convenience. Parents pay for their children’s healthcare, make medical decisions, monitor medication compliance, and are legally responsible for their care. If a teenager has a serious condition, changes medications, or shows concerning symptoms, parents are effectively locked out of information they need. Conversely, Epic can argue that respecting adolescent privacy aligns with modern clinical best practices and ethical guidelines that recognize teenagers’ developing autonomy. This tension—between legitimate privacy interests and legitimate parental information needs—has no easy answer, but Texas contends it should not be unilaterally decided by a single software company based on market power rather than medicine.
Antitrust Challenges to Epic’s Market Dominance
Epic Systems controls approximately 40 percent of the U.S. EHR market, making it far larger than any competitor. This dominance has triggered multiple antitrust lawsuits. In addition to Texas’s case, federal lawsuits have been filed by smaller EHR and health data companies including Particle Health and CureIS Healthcare. These companies allege Epic uses its market dominance to restrict interoperability, block data exchange, and maintain high switching costs that make it nearly impossible for health systems to abandon Epic for a competitor. In September 2025, a federal judge allowed Particle Health’s antitrust case against Epic to proceed, rejecting Epic’s motion to dismiss.
This ruling signals that courts believe antitrust claims against Epic have legal merit—that controlling 40 percent of a critical healthcare infrastructure market raises legitimate competitive concerns. The antitrust angle is important because data access is not just a privacy issue; it’s also a competition issue. If Epic can prevent data from flowing to competitors, or can extract data and profit from it while competitors cannot, that creates an unfair competitive advantage. However, antitrust cases are slow and complex. The Particle Health case, if it proceeds to trial, could take years to resolve. In the meantime, Epic’s market share likely continues to grow, and the competitive opportunity window for challengers may close. This timing problem—the sluggish pace of antitrust enforcement versus the rapid consolidation of digital markets—is a recurring frustration in tech regulation.
AI Recording in Healthcare Encounters Without Clear Consent
A newer category of EHR-adjacent litigation involves AI transcription tools used during patient-doctor conversations. A federal lawsuit alleges that Sutter Health and MemorialCare, two large California health systems, use Abridge AI’s medical transcription tool to record and transcribe patient-doctor conversations without explicit patient authorization. The tool’s purpose is efficient—to create written records of what was discussed—but patients were neither informed that recording was happening nor given a choice to opt out. This case raises fundamental questions about the scope of consent in healthcare. When a patient visits a doctor and discusses symptoms, treatment options, and personal health information, what are they agreeing to? Traditional consent assumes documentation will occur—doctors take notes.
But recording the audio, storing it in the cloud, running it through AI algorithms, and retaining it indefinitely is qualitatively different. Patients cannot see the transcripts the AI generates or correct errors. If the AI mishears a medication name, symptoms, or medical history, that error becomes part of the permanent health record. Beyond the immediate patient, AI recordings may be used for training AI models, sold to researchers, or accessed by employees beyond those directly involved in care. Sutter and MemorialCare argue that the tool improves clinical efficiency and patient care, but the lawsuit challenges whether efficiency gained through undisclosed recording meets legal and ethical standards. This case is emblematic of a broader pattern: healthcare is adopting AI tools rapidly without pausing to clarify what patients are consenting to.
Settlement Outcomes and Patient Compensation
Unlike many lawsuits that take years to resolve, some EHR cases have reached settlement. The Austin Diagnostic Clinic settlement with Texas represents a concrete outcome: the clinic agreed to restore full parental proxy access to children’s medical records for ages 12 to 17. This settlement doesn’t involve cash compensation; instead, it mandates a change in practice. From a patient perspective, this is impactful—if you’re a parent who was previously locked out of your child’s medical information, the settlement restores access.
However, it also illustrates a limitation of settlements: they may resolve the specific case but do not change the default settings across the entire Epic system for all patients nationwide. The Epic v. Health Gorilla case, still in early stages, seeks damages for the 300,000 patients whose records were allegedly accessed and sold without consent. If successful, it could establish a precedent that unauthorized data access carries significant financial consequences, potentially creating a deterrent for other data aggregation companies considering similar practices. However, the more significant outcome would be the precedent: confirming that patient data cannot be extracted and monetized without explicit consent, regardless of how convenient or profitable such extraction might be for intermediaries.
Regulatory Landscape and Future Outlook
EHR litigation is growing partly because regulatory oversight has lagged behind technological change. HIPAA, the federal privacy law governing health information, was passed in 1996 before EHRs existed in their current form and predates cloud computing, AI, and the modern data economy. HIPAA provides baseline privacy protections, but it does not address many issues raised in current lawsuits—data access defaults, antitrust concerns, AI recording, or data monetization by intermediaries. State attorneys general, like Texas, are stepping in to fill regulatory gaps, but this patchwork approach means enforcement is inconsistent and slow.
Looking forward, the EHR lawsuit landscape will likely expand. As more states challenge Epic’s practices, as more data breaches occur, and as more AI tools are deployed without clear consent, litigation will continue. The outcomes of the Epic v. Health Gorilla case and the Texas antitrust lawsuit will be particularly consequential; they could establish new rules for how patient data is handled and who controls access to medical information. For now, patients involved in these cases face a long wait for resolution while continuing to use healthcare systems whose data practices they may not trust.
Conclusion
Electronic health record lawsuits represent a necessary legal correction to the healthcare industry’s rapid digitization. As health systems and technology vendors have moved to collect, store, and share patient data through EHRs, they have operated in many cases without clear rules governing access, monetization, and design choices that affect patients. The lawsuits discussed here—Epic v. Health Gorilla, Texas v.
Epic, data breaches like RXNT, and AI recording cases—all challenge different aspects of how EHRs handle patient information. Some seek compensation for breaches; others seek to overturn anti-competitive practices or restore patient access rights. If you believe you may be affected by any of these cases—whether as a patient whose data was accessed without consent, a parent restricted from viewing your child’s medical records, or someone harmed by a data breach—monitoring case developments and consulting with a lawyer is advisable. Many of these cases are in early stages, and as they progress, compensation mechanisms or settlement programs may become available to affected patients.