Your EHR Is Now a Legal Liability: What the Epic Lawsuit and 460 Ransomware Attacks Mean for Your Budget

Interoperability litigation and ransomware economics are converging into a single CFO risk event. Here is what to do before it hits your balance sheet.

Healthcare recorded 460 ransomware attacks in 2025 alone, making it the leading target for cybercrime among all U.S. critical infrastructure sectors. At the same time, Epic Systems is in active federal litigation alleging that nearly 300,000 patient records were fraudulently extracted through the same national interoperability networks your organization uses every day. These are not IT problems. They are balance sheet problems, and your next board meeting needs a financial framework for both.

Infographic showing 460 healthcare ransomware attacks in 2025 alongside 300,000 patient records at risk in Epic interoperability lawsuit, framed as CFO financial risk.

Infographic showing 460 healthcare ransomware attacks in 2025 alongside 300,000 patient records at risk in Epic interoperability lawsuit, framed as CFO financial risk.

The Epic Lawsuit Is Not Just an IT Story

In January, Epic Systems and several health system partners filed a federal lawsuit against Health Gorilla, Unit 387, and related entities. The allegation is specific and serious. Third-party vendors accessed tens of thousands of patient records through Carequality and the Trusted Exchange Framework and Common Agreement, known as TEFCA, by self-attesting that the data requests were for treatment purposes. According to the plaintiffs, those records were then routed to law firms for mass tort litigation marketing.

The case has since been updated. As of early June, claims against one defendant, SelfRx, were voluntarily dismissed after its founder submitted a sworn declaration disputing the scale of access. But the broader lawsuit against Health Gorilla and Unit 387 remains active, with plaintiffs now alleging nearly 300,000 patient records were improperly obtained.

For CFOs, the legal outcome is secondary to what this lawsuit reveals about your current exposure. The interoperability governance tensions driving this case have been building for years, as covered in Epic Is Being Sued From Every Direction.

Your organization is almost certainly connected to Carequality or TEFCA. Those networks operate on self-attestation. A third-party vendor connected through your Epic environment can request data under a "Treatment" purpose code without your real-time knowledge or approval. If that vendor's attestation is later found to be fraudulent, your organization's audit trail, indemnification posture, and BAA language will be examined.

This is not hypothetical. It is already in front of a federal court.

What CFOs Need to Audit in Their Epic Contracts Right Now

The litigation is reshaping the risk allocation landscape for any organization negotiating or renewing with Epic. If your organization has not yet treated IT governance as a finance function, that framework starts here: IT Governance Is Now a Finance Problem for Health System CFOs. There are four contract areas that deserve immediate attention.

First, look at your Business Associate Agreement language around permitted use and data lineage. Epic is signaling to the market that self-attestation on national networks creates a governance gap. Your BAA should clearly define where Epic's liability for network-transmitted data ends and where yours begins. Broad indemnification clauses that leave your organization financially responsible for upstream network failures you cannot technically control are no longer acceptable boilerplate.

Second, review your third-party app integration framework. Health systems routinely connect predictive analytics tools, billing applications, and digital health platforms through Epic's connection marketplace. If Epic tightens vetting requirements and a mission-critical vendor loses API access, your organization faces operational downtime without contractual protection. Push for continuity-of-integration clauses that define what happens to your workflows if a connected vendor is suspended.

Third, demand comprehensive audit logging in any new module purchases. The lawsuit involves allegations of bulk data queries executed under falsified purpose codes. Your contract should specify that audit logging tools capable of capturing the credential, purpose code, and destination of every automated data query are included in the base license, not sold as an add-on.

Fourth, negotiate distinct liability caps for interoperability and network data exchange, separate from standard software errors and omissions. These are different risk categories. Treat them as such in the contract.

"Interoperability is a federal mandate. But unverified interoperability is a massive legal liability." The Epic litigation is the clearest demonstration yet that the technical act of data exchange and the legal accountability for that exchange are not the same thing.

Four-row CFO checklist for auditing Epic EHR contract risk areas including BAA language, third-party app clauses, audit logging, and interoperability liability caps.

Four-row CFO checklist for auditing Epic EHR contract risk areas including BAA language, third-party app clauses, audit logging, and interoperability liability caps.

Ransomware Is No Longer a Downtime Problem. It Is a Revenue Event.

The FBI opened a 22,000-square-foot simulated town at its Redstone Arsenal campus in Huntsville, Alabama, for a specific reason. The facility, called the Kinetic Cyber Range, includes a fully wired mock hospital where agents train for ransomware response in real time. Alarms sound. Role players respond as though patient care is at risk. The FBI built a fake hospital because the real ones keep going down.

Healthcare recorded 460 ransomware attacks in 2025 according to FBI data, the highest rate of any critical infrastructure sector in the country. That number reflects only reported incidents.

What has changed is the attack structure. Ransomware groups have moved to what security professionals call triple extortion. The sequence is: steal the data, encrypt the systems, then use the exfiltrated records to directly contact patients, partners, or regulators to amplify pressure for payment. A single attack now generates three simultaneous financial exposures: operational downtime, regulatory notification costs, and third-party liability from weaponized patient data.

For CFOs operating on 2 to 3 percent margins, the financial math is unforgiving. A mid-sized health system experiencing two weeks of EHR downtime can lose $1 million to $3 million per day in deferred procedures, denied claims, and emergency staffing costs. Triple extortion adds patient notification expenses, potential OCR investigation costs, and reputational damage that affects patient volume in subsequent quarters. The budget planning framework for these exposures is covered in depth in Healthcare Cybersecurity 2026: The CFO's Financial Risk and Budget Planning Guide.

What the FBI's Approach Tells You About Your Own Readiness

The FBI's Kinetic Cyber Range trains agents to manage two simultaneous crises: the technical breach and its operational consequences. That dual-track framing is exactly how CFOs should be thinking about their incident response planning.

Most healthcare organizations have an IT incident response plan. Fewer have a financial incident response plan that runs in parallel. The financial track should answer specific questions before an attack occurs.

At what revenue loss threshold does leadership escalate to the board? What is the pre-negotiated relationship with your cyber insurance carrier, and what documentation do they require to activate coverage quickly? Does your business continuity plan include manual revenue cycle fallback procedures that can sustain cash flow through an EHR outage? Who is authorized to make financial decisions during active negotiations, and what is the decision tree for ransom payment versus alternative recovery options?

The FBI officially discourages ransom payment. Their operational priority on site is stabilization and evidence collection. Your operational priority is protecting cash flow and maintaining patient care continuity. Those goals are compatible, but only if you have done the planning before the alarm sounds.

In my work supporting analytics implementation at health systems, the organizations that recovered fastest from operational disruptions were not necessarily the ones with the most sophisticated technology. They were the ones whose finance teams had pre-built manual workflows and knew exactly which revenue streams to protect first. The same principle applies to ransomware recovery.

CFO decision tree flowchart for financial response to a healthcare ransomware attack, including insurance activation, revenue cycle fallback, and board escalation thresholds.

CFO decision tree flowchart for financial response to a healthcare ransomware attack, including insurance activation, revenue cycle fallback, and board escalation thresholds.

The Convergence Risk CFOs Cannot Afford to Ignore

Here is the scenario your risk assessment should include but probably does not.

A third-party vendor connected through your interoperability network is compromised in a ransomware attack. The attacker uses that vendor's API credentials to move laterally into your EHR. Patient records are exfiltrated before your security team detects the intrusion. You now face a HIPAA breach notification requirement, potential False Claims Act exposure if the exfiltrated data touches any federal program billing records, and the possibility that your own organization is named in litigation similar to what Epic is pursuing against Health Gorilla.

This is not a threat model built from speculation. It is a direct combination of the two threat categories covered in this article, connected through the same vendor API ecosystem that every major health system relies on daily.

The CFO's role in preventing this is not technical. It is contractual, governance-focused, and financial. It means demanding audit capabilities, negotiating liability allocation, building financial response plans, and treating every vendor integration as a direct extension of your organization's risk profile.

If your organization is in the middle of an Epic renewal, expansion, or new module negotiation, the contract language decisions you make in the next 90 days will determine your legal exposure for the next several years. HFI Consulting works with provider and payer finance teams to build vendor risk frameworks that translate technical contracts into financial accountability structures. Visit hfi.consulting to learn more or start a conversation.

Building the Internal Controls Framework

Two practical steps belong on your near-term agenda regardless of where you are in the Epic contract cycle.

The first is a vendor API audit. Pull the complete list of third-party applications integrated with your EHR. For each, document what data they can access, under what purpose codes, and what your BAA says about their downstream use of that data. Most finance teams have never seen this list. Your legal team should be reviewing it quarterly.

The second is a tabletop financial exercise. Run a simulated ransomware scenario with your CFO, revenue cycle director, and cyber insurance contact in the room. The goal is not to test the IT team. The goal is to identify the financial decision points where ambiguity exists before an actual event forces those decisions in real time.

Both of these are internal control functions, not IT functions. They belong on the finance team's agenda.

Part 2 of this series covers AI readiness, data governance, and how federal regulation is simultaneously helping and hurting payers and providers. If you are evaluating AI investments, the governance framework your organization builds today will determine whether those investments deliver the projected returns or expose you to a new category of liability. That article publishes tomorrow. In the meantime, if your team is working through vendor risk or EHR contract questions, reach out at hfi.consulting.

P.S. Has your organization run a financial incident response tabletop for a ransomware scenario, separate from the IT response plan? I am curious how many finance teams have that framework in place versus how many are relying entirely on the IT playbook. Hit reply and tell me where your organization stands.

HFI Consulting works with healthcare finance leaders on vendor risk, data governance, and strategic finance advisory. Learn more at hfi.consulting.

Previous
Previous

Before Your AI Investment Delivers, Your Data Has to Be Ready: A CFO Guide to Governance, Readiness, and Federal Rules That Cut Both Ways

Next
Next

The Most Underpaid, Underappreciated Role in Hospital Finance: Who Should Be Running Your Medicare Cost Report