Epic flags improper access to Michigan Medicine patient records

Michigan Medicine is notifying about 551 patients of a privacy incident involving unauthorized access to medical information through a national health information exchange after its EHR vendor Epic flagged unusual activity.

The Ann Arbor-based academic medical center said it was first alerted Jan. 13 by Epic to unusual activity tied to third-party companies requesting patient records. Epic has linked similar activity in a federal lawsuit to Health Gorilla and other defendants.

An internal review later found that between March 12 and March 25, 2026, one or more third parties may have accessed records without proper authorization, including instances where no treatment-related reason for the request could be confirmed, according to a May 1 news release.

The unauthorized access dates back to between Oct. 18, 2023, and Nov. 12, 2025.

In January, Epic filed a federal lawsuit in the U.S. District Court for the Central District of California against Health Gorilla and other defendants. The lawsuit alleges the companies gained access to patient records by posing as legitimate healthcare providers, using fictitious websites, shell companies and fraudulent provider credentials. Health Gorilla told Becker’s after the lawsuit was filed that it “vehemently” denies the allegations.

The compromised information may have included demographic details such as names, addresses and dates of birth; clinical data including diagnoses, medications and test results; and health insurance information. Social Security numbers were not involved, according to Michigan Medicine.

Michigan Medicine said it began notifying affected individuals by mail May 1 and is working with Epic and network partners to investigate the incident and prevent future occurrences. The organization is also coordinating with regulators and monitoring the ongoing litigation.

The health system said it believes the risk of identity or medical theft is low because financial information and Social Security numbers were not exposed. However, it is advising patients to review insurance statements for unfamiliar services and providing guidance on protecting against identity theft.

Pittsburgh-based UPMC was also notified by Epic of a similar breach in March, alleging Health Gorilla requested patient data under the guise of coordinating care for mutual patients. Health Gorilla denied those allegations, calling them “yet another example of Epic’s exclusionary actions.”

The post Epic flags improper access to Michigan Medicine patient records appeared first on Becker's Hospital Review | Healthcare News & Analysis.