Skip to main content
A male patient meets with his doctor over the computer for his telehealth appointment.

GuardDog Telehealth Data Breach Investigation

Written by Joseph Lyon on . Posted in Data Breach.

One of the most fundamental expectations patients have when seeking medical care is that their records stay private. That expectation was allegedly violated by GuardDog Telehealth, a company that has now admitted in federal court to accessing patient medical records under false pretenses and handing them over to law firms without patient consent. If your records were caught up in this scheme, contact our data privacy lawyers to discuss your legal options. 

What Is the GuardDog Telehealth Lawsuit?

Epic Systems and a group of healthcare providers including OCHIN, Reid Health, Trinity Health, and UMass Memorial Health filed a lawsuit against companies allegedly exploiting confidential patient records for profit. The lawsuit claims that Health Gorilla, a health information network, allowed GuardDog Telehealth and other companies to improperly access and profit from nearly 300,000 patient medical records.

According to court filings, GuardDog Telehealth claimed to need access to patient medical data for treatment purposes. However, the information accessed was instead sold, in some instances to attorneys seeking clients with specific injuries.

GuardDog is one of a cluster of small telehealth, data, and shell companies that plaintiffs say were used to pose as legitimate healthcare providers. The complaint also states that the defendants inserted junk information into records to hide their activity and give the appearance of genuine care, which in turn risked patient safety and wasted clinician time.

This was not a passive data breach caused by a hacker. This was an intentional scheme built around deceiving healthcare networks to gain access to records that were never meant to leave the medical system.

GuardDog Admits What It Did

GuardDog Telehealth admitted in a court filing that it falsely represented itself as providing treatment in order to access medical records. The filing stated that for the duration of its existence, GuardDog’s business focused on requesting, reviewing, and summarizing medical records and providing those records to law firms.

GuardDog and Epic have since reached an agreement and are seeking a court order permanently barring GuardDog from requesting health records via the Carequality and TEFCA interoperability frameworks. GuardDog has also agreed to delete all patient records obtained from those frameworks and will not use or disclose any patient information going forward.

Court documents also reveal that GuardDog’s predecessor company, Critical Care Nurse Consulting, provided medical records to law firms in a similar way from 2022 to 2024. That means this conduct may have been going on for years before it was finally exposed.

Why This Is a Serious Violation of Patient Privacy

Medical records are among the most sensitive pieces of personal information a person has. They can contain details about chronic conditions, mental health history, medications, prior injuries, surgical history, and much more. Patients share this information with their doctors in confidence, with the reasonable expectation that it will be used to provide care and nothing else.

The University of Pittsburgh Medical Center released a statement informing patients of the potential breach of their data after Health Gorilla requested records under the pretext of providing treatment. UPMC is just one of many healthcare organizations whose patients may have been affected. The harm from this kind of violation is real and lasting:

  • Sensitive health information shared without consent can affect employment, insurance coverage, and personal relationships
  • Patients had no knowledge their records were being reviewed, summarized, and sold
  • The records were used as a commercial product rather than as part of genuine medical care
  • Patients were effectively exploited as raw material for a profit-driven data scheme

What Legal Rights Do Affected Patients Have?

The unauthorized disclosure of protected health information can give rise to legal claims under federal and state law, including violations of HIPAA, state consumer protection statutes, and common law privacy claims. Patients whose records were accessed and distributed without consent may be entitled to compensation for the harm they suffered.

The GuardDog Telehealth lawsuit is still developing. Three new separate putative class action lawsuits have been filed against Epic and several co-defendants, alleging Epic was negligent in failing to prevent Health Gorilla and its clients from connecting to its Care Everywhere health information exchange. The legal landscape is expanding quickly, and affected patients need experienced representation to navigate it.

If your records were accessed through Health Gorilla, GuardDog, or any of the related entities named in this litigation, you deserve to know your rights.

How The Lyon Firm Can Help

The Lyon Firm has extensive experience representing patients and consumers whose private information was exposed, misused, or sold without their consent. We understand the unique harm that comes with medical data privacy cases, and we know how to hold companies accountable when they treat patient records as a product rather than a protected trust.

We handle these cases on a contingency basis, meaning you pay nothing unless we recover compensation for you. Our attorneys will review your situation, explain what claims may be available, and pursue every avenue for recovery on your behalf.

CONTACT THE LYON FIRM TODAY

Please complete the form below for a FREE consultation.

  • This field is for validation purposes and should be left unchanged.