Massive Medical Records Breach Exposes 300,000 Patients, Including Michigan Medicine Patients
A sophisticated cyber scheme has compromised nearly 300,000 medical records, including those of 551 Michigan Medicine patients, after a network of fraudulent entities posed as legitimate healthcare providers to access sensitive data. The breach, which occurred between October 18, 2023, and November 12, 2025, was uncovered when Epic Systems Corp. the vendor behind Michigan Medicine’s electronic health records detected unusual activity from third-party companies exploiting a health information exchange.
The exposed data included demographic details (names, addresses, dates of birth), clinical information (diagnoses, medications, test results), and health insurance records, though Social Security numbers were not accessed. The breach stemmed from a coordinated effort by entities like Mammoth, RavillaMed, and GuardDog Telehealth, which allegedly used fake websites, shell companies, and fraudulent National Provider Identification (NPI) numbers to deceive healthcare systems into releasing records.
Epic filed a lawsuit on January 13, 2026, in the U.S. District Court for the Central District of California, accusing Health Gorilla Inc. a health information network of enabling the scheme. The complaint alleges that Health Gorilla’s network monetized patient data without consent, including selling it to lawyers for class-action recruitment, and inserted false entries into medical records to mask their activities. The lawsuit compares the operation to a Hydra, with new fraudulent entities emerging as others are exposed.
Michigan Medicine, along with Trinity Health, Reid Health, UMass Memorial Health, and OCHIN, joined the legal action. An internal review conducted March 12–25, 2026, confirmed unauthorized access to patient records, though the health system assessed the risk of identity or medical theft as low due to the absence of financial or Social Security data. Michigan Medicine has since reported the incident to regulators, is monitoring the lawsuit, and has notified affected patients, advising them to review insurance statements for suspicious activity.
Health Gorilla denies the allegations, calling Epic’s lawsuit "misleading and unfounded" and stating it suspended connections with the implicated entities upon discovery. CEO Bob Watson criticized Epic’s response as irresponsible, vowing to defend against the claims.
The breach highlights vulnerabilities in health information exchanges, with Epic reporting that additional records from other U.S. providers, including the Department of Veterans Affairs, may have been compromised. The full scope of the incident remains under investigation.
Outset Medical, Inc. cybersecurity rating report: https://www.rankiteo.com/company/outset-medical
EPIC SYSTEMS INC cybersecurity rating report: https://www.rankiteo.com/company/epicsystemsinc
Michigan Medicine cybersecurity rating report: https://www.rankiteo.com/company/michigan-medicine
UMass Memorial Medical Center cybersecurity rating report: https://www.rankiteo.com/company/umass-memorial-medical-center
"id": "OUTEPIMICUMA1777660615",
"linkid": "outset-medical, epicsystemsinc, michigan-medicine, umass-memorial-medical-center",
"type": "Breach",
"date": "10/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '551 patients',
'industry': 'Healthcare',
'location': 'Michigan, USA',
'name': 'Michigan Medicine',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare',
'location': 'USA',
'name': 'Trinity Health',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare',
'location': 'USA',
'name': 'Reid Health',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare',
'location': 'Massachusetts, USA',
'name': 'UMass Memorial Health',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare',
'location': 'USA',
'name': 'OCHIN',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare/Government',
'location': 'USA',
'name': 'Department of Veterans Affairs',
'type': 'Government Healthcare Provider'}],
'attack_vector': 'Fraudulent third-party access via health information '
'exchange',
'customer_advisories': 'Affected patients notified and advised to review '
'insurance statements for suspicious activity.',
'data_breach': {'data_exfiltration': 'Yes (potential sale to lawyers for '
'class-action recruitment)',
'number_of_records_exposed': '300,000',
'personally_identifiable_information': 'Yes (names, '
'addresses, dates of '
'birth, health '
'information)',
'sensitivity_of_data': 'High (medical and personal health '
'information)',
'type_of_data_compromised': ['Demographic details (names, '
'addresses, dates of birth)',
'Clinical information '
'(diagnoses, medications, test '
'results)',
'Health insurance records']},
'date_detected': '2025-11-12',
'date_publicly_disclosed': '2026-01-13',
'description': 'A sophisticated cyber scheme has compromised nearly 300,000 '
'medical records, including those of 551 Michigan Medicine '
'patients, after a network of fraudulent entities posed as '
'legitimate healthcare providers to access sensitive data. The '
'breach stemmed from a coordinated effort by entities like '
'Mammoth, RavillaMed, and GuardDog Telehealth, which allegedly '
'used fake websites, shell companies, and fraudulent National '
'Provider Identification (NPI) numbers to deceive healthcare '
'systems into releasing records.',
'impact': {'brand_reputation_impact': 'High (public lawsuit, patient '
'notifications, regulatory scrutiny)',
'data_compromised': '300,000 medical records',
'identity_theft_risk': 'Low (Social Security numbers not accessed)',
'legal_liabilities': 'Lawsuit filed by Epic Systems and affected '
'healthcare providers',
'operational_impact': 'Unauthorized access to patient records, '
'potential legal and regulatory consequences',
'systems_affected': ['Michigan Medicine’s electronic health '
'records (Epic Systems)',
'Health Gorilla’s health information '
'network']},
'initial_access_broker': {'backdoors_established': 'Fraudulent NPI numbers, '
'fake websites, shell '
'companies',
'data_sold_on_dark_web': 'Potential (alleged sale '
'to lawyers for '
'class-action recruitment)',
'entry_point': 'Health information exchange (Health '
'Gorilla’s network)',
'high_value_targets': 'Medical records, health '
'insurance data',
'reconnaissance_period': 'October 18, 2023 – '
'November 12, 2025'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Vulnerabilities in health information exchanges can be '
'exploited by fraudulent entities using fake credentials '
'and shell companies. Need for stricter verification of '
'third-party access to sensitive data.',
'motivation': 'Financial gain (monetization of patient data, potential sale '
'to lawyers for class-action recruitment)',
'post_incident_analysis': {'corrective_actions': ['Suspension of connections '
'with fraudulent entities',
'Internal review of patient '
'records access',
'Regulatory reporting and '
'patient notifications',
'Legal action against '
'implicated parties'],
'root_causes': ['Lack of stringent verification '
'for third-party access to health '
'information exchanges',
'Exploitation of fake credentials '
'and shell companies by threat '
'actors',
'Insufficient monitoring of data '
'access patterns']},
'recommendations': ['Enhance verification processes for third-party access to '
'health information exchanges',
'Implement stricter monitoring of data access patterns',
'Improve detection of fraudulent entities posing as '
'legitimate providers',
'Strengthen legal and regulatory safeguards for patient '
'data sharing'],
'references': [{'source': 'Epic Systems Corp. lawsuit'},
{'source': 'Michigan Medicine statement'},
{'source': 'Health Gorilla response'}],
'regulatory_compliance': {'legal_actions': 'Lawsuit filed in U.S. District '
'Court for the Central District of '
'California',
'regulations_violated': ['HIPAA (potential '
'unauthorized access and '
'disclosure of PHI)'],
'regulatory_notifications': 'Yes (reported to '
'regulators)'},
'response': {'communication_strategy': 'Patient advisories, public '
'statements, regulatory notifications',
'containment_measures': 'Suspension of connections with '
'implicated entities (Health Gorilla)',
'incident_response_plan_activated': 'Yes (internal review '
'conducted March 12–25, '
'2026)',
'remediation_measures': 'Patient notifications, monitoring of '
'lawsuit, regulatory reporting'},
'stakeholder_advisories': 'Healthcare providers advised to review third-party '
'access and monitor for suspicious activity.',
'threat_actor': ['Mammoth', 'RavillaMed', 'GuardDog Telehealth'],
'title': 'Massive Medical Records Breach Exposes 300,000 Patients, Including '
'Michigan Medicine Patients',
'type': 'Data Breach',
'vulnerability_exploited': 'Exploitation of health information exchange '
'systems, fake NPI numbers, and shell companies'}