What did HHS do about Epic record sharing?

Epic exposes risks of impersonation in patient record sharing

A STAT+ report described how Epic Systems, a major electronic health record vendor, uncovered evidence of “rot” in patient record sharing—specifically, that some companies were able to gain access by posing as healthcare providers.

According to the coverage, the issue surfaced in a recent court filing where Epic demonstrated that companies could impersonate providers in order to access shared patient information. That matters because EHR data sharing typically relies on trust mechanisms for identity and authorization; impersonation suggests those controls can be bypassed.

The report framed the moment as a test for the U.S. Department of Health and Human Services (HHS), asking whether federal regulators will step in to address gaps.

Why it matters for patients and the system:

• Patient privacy risk: Unauthorized access can expose sensitive medical data.
• Integrity of access controls: If impersonation works in practice, the authorization model needs tightening.
• Regulatory consequences: A major vendor flagging the problem in court increases pressure for enforcement and policy updates.

What is still unclear from the summary provided is the full scope—such as how many entities were involved, what jurisdictions were affected, and what specific technical or procedural fixes are being pursued.