Epic Systems sues Particle Health for unauthorized data sharing

Epic Systems, the largest provider of medical records management software, says a venture-backed startup called Particle Health is using patient data in unauthorized and unethical ways that have nothing to do with treatment.

Epic told customers in a notice Thursday that it cut their connection to Particle, hampering the company's ability to access a system with more than 300 million patient records. Particle is one of several companies that acts as a sort of middleman between Epic and the organizations (typically hospitals and clinics) that need the data.

Patient data is inherently sensitive and valuable, and is protected by the Health Insurance Portability and Accountability Act, or HIPAA, a federal law that requires patient consent or knowledge for third-party access. One way to access Epic's electronic health records (EHR) is through an interoperability network called Carequality, which facilitates the exchange of more than 400,000 documents a month, according to its website. Particle is a member of the Carequality network.

To join the network, organizations are vetted and must agree to meet clear “permitted purposes” for sharing patient data. Epic responds to requests for data that fall within the permitted purpose of “Processing,” which means that the recipient provides care to the person whose records it requests.

Epic said in its Thursday notice that it filed a formal dispute with Carequality on March 21, over concerns that Particle and its participating organizations “may be inaccurately representing the purpose associated with its record retrievals.” The company suspended its connection with Particle that day.

“This poses potential security and privacy risks, including the possibility of violations of the HIPAA Privacy Rule,” Epic said in the notice, obtained by CNBC.

In a blog post on Friday evening, Carequality said it takes disputes “very seriously and is committed to maintaining the integrity of the dispute resolution process as well as reliable sharing within the framework.” The organization said it cannot comment on the existence of disputes or member activities.

Representatives for Epic and Particle did not respond to requests for comment. However, Particle published a blog post on Friday evening and said it began “immediately addressing this issue” after Epic “stopped responding to data requests from a subset of customers” on March 21. Particle said in the post that a big challenge in such matters is that there is “no standard reference to evaluate the definition of Treatment.”

“These definitions have become more difficult to delineate as care has become more complicated with providers, payers, and payers merging into several large healthcare conglomerates,” Particle wrote.

Epic, a 45-year-old private company based in Wisconsin, is the largest EHR vendor by hospital market share in the U.S., with 36% of the market, according to a May report from KLAS Research. Oracle It ranks second with 25%, following the software company's $28 billion purchase of Cerner in 2022.

As of July 2022, Particle had raised a total of $39.3 million from investors including Menlo Ventures, Story Ventures and Pruven Capital, according to a statement. The New York-based startup said at the time that its technology “uniquely combines data from more than 270 million patient medical records by aggregating and unifying healthcare records from thousands of sources.”

Epic said Particle submitted thousands of new participant connections to Carequality in October and claimed they were included in the treatment use case. In the following months, all of Particle's participating organizations claimed a permitted processing purpose for their requests, Epic said.

However, Epic began to notice some red flags. The company said it observed anomalies in patient record sharing patterns, such as requests for a large number of records within a certain geographic region. Additionally, Epic said companies connected to Particle were not sending new patient data, which “suggests a non-treatment use case.”

Epic and its Care Everywhere Governing Council, made up of 15 industry representatives, assessed the connections of Particle's new entrants and determined that organizations like Integritort, MDPortals and Reveleer, which acquired MDPortals last year, “were probably not a good fit.” to a Permitted Purpose of Treatment,” the notice said.

Epic said it learned that another Carequality member was planning to file a dispute, alleging that Integritort was using patient data to try to identify potential participants in the class action lawsuit. On March 28, Epic said it discovered that a participant named Novellia claimed she was requesting registrations under treatment, despite publicly advertising her product as a “personal health tool.”

Integritort, Reveleer and Novellia did not respond to requests for comment.

Epic said it filed a formal dispute with Carequality upon the recommendation of the Governing Council. On April 4, Epic asked Particle to provide additional information to illustrate how its participants qualify for the treatment use case, according to the notice.

Michael Marchant, chief interoperability and innovation officer at University of California Davis Health, serves as chair of Epic's Governing Council. He said it's difficult to know exactly why Particle might have provided records to these organizations, or whether it intentionally engaged in wrongdoing. But, he said, companies have to act responsibly even if they are pressured to deliver financial results.

“If they were selling to things that they knew were not treatment-related organizations in an effort to match venture capital funding or profit margins or revenue targets or whatever, then that would be really bad,” he said. Marchant told CNBC in an interview.

In a statement on LinkedIn on Wednesday, Particle founder Troy Bannister said Epic acted unilaterally and that Particle has seen “no official rationale, justifications, or assertions” surrounding these issues.

Bannister wrote that, to the company's knowledge, “all affected partners directly support the treatment.” He said these organizations extract data from care providers and share it with the Carequality network.

“While we continue to maintain our connection to Carequality, the ability of an implementer to decide, without evidence or even a warning, to disconnect providers on a massive scale, jeopardizes the clinical operations of hundreds of thousands of patients, as well as the trust that is critical to a trust-based exchange,” Bannister wrote.

Bannister did not address Epic's April 4 request for additional information.

The formal dispute process is still ongoing. Marchant, who also serves as co-chair of an advisory board at Carequality, said it is the first time in the network's history that a complaint has gone this far.

LOOK: Insurer Stocks Fall on Medicare Rates