Epic Is Being Sued From Every Direction: What Health System CFOs Must Understand About the EHR Interoperability War
Three new class actions, a CMS data mandate, and a vendor that controls 40% of hospital records. Here's what the litigation wave means for your budget.
On March 15, 2026, three new class action lawsuits landed against Epic in a single day, all in the same Wisconsin courthouse, all citing Epic's own prior lawsuit as their factual backbone. Meanwhile, CMS Administrator Dr. Mehmet Oz stood at HIMSS this week and told a room full of healthcare executives to "kill the clipboard" and give patients QR-code access to their own records. These two events are not unrelated, and if you're a healthcare CFO, the gap between what regulators want and what your EHR vendor delivers is about to become a budget line item.
A horizontal timeline showing the escalating Epic legal landscape from December 2025 (Texas AG antitrust suit) to March 2026 (3 new class actions + MyChart interoperability suit). Overlay with CMS HIMSS statements.
The Lawsuit You Didn't Know Could Hit Your Balance Sheet
Epic controls more than 40% of the U.S. hospital EHR market and manages records for hundreds of millions of patients. That market dominance is now attracting legal scrutiny from multiple directions simultaneously.
In early March, a disability advocacy organization and two individuals filed suit in the Western District of Texas. The complaint alleges Epic's architecture deliberately fragments patient records across separate MyChart portals, making it nearly impossible for patients who receive care across multiple health systems to assemble a complete medical history without manually managing multiple accounts.
The financial stakes in that case are concrete. One plaintiff was denied Social Security disability benefits twice due to insufficient medical documentation and died while his appeal was still pending. His father could not access medical records locked behind his son's personal MyChart login. That is not a theoretical regulatory risk. That is a liability exposure that could touch any health system operating on Epic.
Care Everywhere Is Now Everywhere in Court
The second wave of litigation is more complex and more financially significant for health systems.
Epic sued a company called Health Gorilla, along with several related entities, alleging that Health Gorilla's clients accessed patient records through Epic's Care Everywhere health information exchange platform under a false "treatment" purpose. The alleged actual purpose: mining medical records to recruit plaintiffs for separate mass tort lawsuits.
That original Epic suit is now fueling a third layer of litigation. Three new class action complaints filed March 15 in Wisconsin name Epic as a defendant, arguing that Epic's own platform was the vector for the alleged data misuse and that Epic failed to act sooner. The plaintiffs' counsel is reportedly preparing additional filings. Each of Epic's thousands of health system customers is a potential co-defendant.
From a payer perspective, I see this dynamic play out regularly at Florida Blue Medicare. When a health information exchange is used in ways that diverge from its stated purpose, the downstream financial exposure is not limited to the original bad actor. Health systems that signed on to Care Everywhere under Epic's terms and conditions are now being drawn into litigation they had no knowledge of and no meaningful ability to prevent.
What CMS Wants and What Epic Delivers Are on a Collision Course
At HIMSS this week, CMS Administrator Dr. Oz framed technology as a "deflationary force" in a healthcare system he described as managing a $1.7 trillion business. His administration's stated goal is agentic AI for every Medicare member and QR-code-based patient data portability.
CMS Deputy Kimberly Brandt put it more bluntly: "Kill the clipboard."
The practical translation for health system finance leaders is this: CMS wants patient data to move freely, in real time, controlled by the patient. The litigation against Epic is arguing that Epic's architecture was designed to prevent exactly that kind of movement. Both of those things cannot be true simultaneously, and courts and regulators are going to force a resolution.
Epic disputes the characterization aggressively. The company noted in response to the MyChart lawsuit that it has been interoperable with the Social Security Administration for nearly 15 years and that more than 2.7 million records were exchanged electronically between SSA and Epic-based organizations last year. That is a substantive counterargument that finance leaders should not dismiss.
The gap between Epic's stated capabilities and what plaintiffs allege is happening in practice is where the real budget risk lives.
Side-by-side comparison table Content: Left column "CMS/Regulatory Vision for 2026-2027" vs. Right column "Current Litigation Allegations Against Epic."
The Three Financial Risks Your Legal Team Needs to Brief Your CFO On
Health system finance leaders need to understand what is at stake across three distinct risk categories before this litigation wave makes it into your next bond covenant conversation.
Litigation Exposure as a Co-Defendant
Every Epic health system customer is a potential co-defendant in patient class actions arising from Care Everywhere misuse. The complaints are explicitly seeking class certification that could cover every patient whose records were accessed through Care Everywhere. Even if your organization bears no direct fault, legal fees, discovery obligations, and reputational exposure are real costs. Depending on your D&O and general liability coverage structure, you may want to have a conversation with your insurance broker now rather than after a named defendant list expands.
Vendor Lock-In as a Capital Planning Risk
The Texas Attorney General's antitrust lawsuit against Epic, filed in December, alleges that Epic monopolizes the EHR market and restricts data portability in ways that prevent health systems from switching vendors. If courts find merit in those arguments, health systems may face a forced migration environment over the next several years. System migrations at the scale Epic typically operates are eight-figure projects with multi-year operational disruption. That risk belongs in your capital reserve modeling.
Regulatory Compliance Cost Acceleration
The 21st Century Cures Act's information-blocking provisions are already embedded in CMS compliance requirements. The MyChart lawsuit cites those provisions directly. If litigation outcomes and regulatory enforcement move in the same direction, health systems using Epic may face pressure to fund interoperability upgrades, third-party API integrations, or patient portal redesigns that are not currently in capital budgets. The intersection of compliance and vendor roadmaps is a budget conversation your IT and finance teams need to be having together.
In my work tracking financial operations across Ascension's seven hospitals, one of the most consistent budget surprises was the downstream cost of vendor contract terms that looked neutral at signing but created operational dependencies that were expensive to unwind. EHR contracts are the most extreme version of that dynamic in healthcare today.
Healthcare Finance Unfiltered covers the financial and operational implications of healthcare technology and regulatory shifts before they hit your budget. If you are not already a subscriber, join the CFOs and VP Finance leaders who read this newsletter to prepare for executive meetings.
Subscribe at hfi.consulting
What Finance Leaders Should Actually Do Right Now
This section is not legal advice. Your general counsel and outside healthcare counsel need to be in these conversations. But there are four operational finance questions every health system CFO should be asking internally this month.
1. What is your Care Everywhere exposure audit?
Request documentation from your IT team on how many third-party entities have accessed patient records through Care Everywhere in the past 24 months, under what stated purpose, and whether any flagged activity was reviewed or reported. This is a basic risk assessment that your legal team will want answered before any plaintiff's attorney serves a discovery request.
2. How is EHR vendor risk characterized in your bond disclosures and board risk register?
Most health system risk registers treat EHR vendor risk as a technology operational category. Given active antitrust litigation, class action exposure, and federal interoperability mandates, this warrants reclassification as a financial and legal risk with disclosed probability and estimated impact range. Rating agencies and lenders will ask.
3. What is your five-year scenario if vendor migration becomes necessary?
You do not need to believe Epic will lose in court to model this scenario. Regulatory pressure alone may change the economics of Epic's contract terms over the next five years. A migration scenario model is a standard capital planning exercise that belongs in your strategic finance toolkit.
4. Are your payer contracts and value-based arrangements dependent on Epic-specific data feeds?
For payer-side organizations and health systems with significant value-based contracts, interoperability disruptions are not abstract. Claims adjudication, risk adjustment data submission, and quality measure reporting may rely on data flows that are currently dependent on Epic's Care Everywhere infrastructure. Map those dependencies before they become operational failures.
Decision tree / process flow Content: "CFO EHR Risk Assessment Flowchart"
The Systemic Risk Most Finance Leaders Are Missing
The broader issue the Womble Bond Dickinson legal analysis identified is the one that should concern healthcare finance most. If aggressive litigation outcomes cause vendors like Epic or HIE intermediaries to restrict data sharing, build more defensive technical architectures, or slow interoperability investment, the collateral damage lands on health systems and payers in the form of claim denials, delayed reimbursements, and care coordination failures.
CMS is pushing toward a world where patient data moves freely. The litigation wave reflects the reality that the current infrastructure was not built for that world. The transition between those two states is where your budget risk lives over the next three to five years.
Healthcare finance leaders should not wait for court outcomes before modeling these scenarios. The cases are in early procedural stages, motions to dismiss are pending, and consolidation is likely. This litigation cycle could extend well into 2027 and 2028 before any definitive rulings.
That time horizon maps directly to your next two budget cycles. Plan accordingly.
If you are working through how to frame EHR vendor risk for your board or integrate interoperability compliance into your capital planning model, I want to hear from you. Reply to this email or reach out directly through hfi.consulting
P.S. Has your organization had an internal conversation about Care Everywhere access controls and third-party data use in the past year? Hit reply and tell me what your team is doing, or not doing, on this front. The answer will shape future coverage here.
