GuardDog Telehealth Accused of Illegally Selling Patient Medical Records to Law Firms
A legal filing has revealed that GuardDog Telehealth, a telehealth organization, accessed and shared patient medical records under false pretenses, allegedly selling sensitive data to law firms. According to a lawsuit filed in January, the company claimed it needed the records for treatment purposes but instead provided them to attorneys targeting clients with specific injuries.
The complaint, reported by Reuters, accuses GuardDog, Health Gorilla, and other entities of exploiting systems designed to share medical records among healthcare providers. Epic, a plaintiff in the case, alleges that these companies used "sham healthcare providers" to request records without legitimate medical justification. GuardDog admitted in court documents that while it marketed itself as offering chronic care management (CCM) and remote patient monitoring (RPM) since its 2024 launch, its actual business model centered on obtaining, reviewing, and summarizing medical records for law firms.
The fallout from the alleged breach has already impacted healthcare providers. The University of Pittsburgh Medical Center (UPMC) notified patients of a potential data exposure after Health Gorilla requested records under the guise of treating shared patients, falsely claiming authorization. Compromised data may include names, ages, medical diagnoses, and treatment histories.
The case remains ongoing against Health Gorilla and other defendants.
GUARDDOG AI cybersecurity rating report: https://www.rankiteo.com/company/guarddogai
"id": "GUA1773853882",
"linkid": "guarddogai",
"type": "Breach",
"date": "1/2024",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Healthcare',
'name': 'GuardDog Telehealth',
'type': 'Telehealth Organization'},
{'industry': 'Healthcare',
'name': 'Health Gorilla',
'type': 'Healthcare Data Platform'},
{'customers_affected': 'Patients with potential data '
'exposure',
'industry': 'Healthcare',
'location': 'Pittsburgh, Pennsylvania, USA',
'name': 'University of Pittsburgh Medical Center '
'(UPMC)',
'type': 'Healthcare Provider'}],
'attack_vector': 'Exploitation of legitimate medical record-sharing systems',
'customer_advisories': 'UPMC notified affected patients of potential data '
'exposure',
'data_breach': {'data_exfiltration': 'Yes (allegedly sold to law firms)',
'personally_identifiable_information': 'Names, ages, medical '
'diagnoses, treatment '
'histories',
'sensitivity_of_data': 'High (includes personally '
'identifiable information and medical '
'diagnoses)',
'type_of_data_compromised': 'Medical records'},
'description': 'A legal filing has revealed that GuardDog Telehealth, a '
'telehealth organization, accessed and shared patient medical '
'records under false pretenses, allegedly selling sensitive '
'data to law firms. The company claimed it needed the records '
'for treatment purposes but instead provided them to attorneys '
'targeting clients with specific injuries. The complaint '
'accuses GuardDog, Health Gorilla, and other entities of '
'exploiting systems designed to share medical records among '
"healthcare providers using 'sham healthcare providers' to "
'request records without legitimate medical justification.',
'impact': {'brand_reputation_impact': 'Significant reputational damage to '
'GuardDog Telehealth and associated '
'entities',
'data_compromised': 'Patient medical records, including names, '
'ages, medical diagnoses, and treatment '
'histories',
'identity_theft_risk': 'High',
'legal_liabilities': 'Ongoing lawsuit and potential regulatory '
'penalties',
'operational_impact': 'Potential disruption to healthcare '
"providers' record-sharing processes",
'systems_affected': 'Medical record-sharing systems (e.g., Epic)'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain through sale of medical records to law firms',
'post_incident_analysis': {'root_causes': 'Exploitation of medical '
'record-sharing systems under false '
'pretenses, lack of verification '
'for record requests'},
'references': [{'source': 'Reuters'},
{'source': 'Legal filing (January lawsuit)'}],
'regulatory_compliance': {'legal_actions': 'Ongoing lawsuit filed by Epic',
'regulations_violated': 'Potential violations of '
'HIPAA (Health Insurance '
'Portability and '
'Accountability Act)'},
'response': {'communication_strategy': 'Patient notifications by UPMC '
'regarding potential data exposure'},
'threat_actor': 'GuardDog Telehealth, Health Gorilla, and other entities',
'title': 'GuardDog Telehealth Accused of Illegally Selling Patient Medical '
'Records to Law Firms',
'type': 'Data Breach',
'vulnerability_exploited': 'Misuse of authorized access to medical records '
'under false pretenses'}