Our Take
SelfRx's denial of knowledge is a legal posture, not a technical defense—and it exposes a real vulnerability in how health systems audit and control record access.
Why it matters
EHR vendors and chronic condition management platforms sit on patient data at scale. If a company can't (or won't) trace who extracted 100,000 records, every health system using similar third-party integrations should audit their own access logs immediately.
Do this week
Compliance officer: Pull your API audit trails for all third-party health apps with EHR read permissions before month-end, so you can identify any unexplained bulk exports before regulators ask.
Epic v. SelfRx: A data access dispute turns adversarial
Epic Systems filed suit against SelfRx, a chronic condition management platform, alleging that SelfRx employees retrieved over 100,000 patient medical records without authorization. According to Healthcare Dive, Epic characterized the access as deliberate extraction for financial gain. SelfRx has now responded to the accusation by claiming it does not know who accessed the records or how the breach occurred. This denial shifts the burden of proof but does not resolve the factual question of whether records were exfiltrated or how a company operating on top of an EHR platform lost control of that access.
The audit trail problem is bigger than one lawsuit
SelfRx's response reveals a structural risk in healthcare data infrastructure. If a company operating a third-party application cannot account for bulk record access from its own systems, that is not merely a compliance failure for SelfRx—it signals a gap in Epic's own audit and access controls, or in the contracts that govern what SelfRx can retrieve and log.
Health systems depend on EHR vendors to enforce role-based access control and generate audit trails. When those trails are absent, incomplete, or not regularly reviewed, a company can extract tens of thousands of records and leave no clear forensic path. The lawsuit will likely turn on whether SelfRx's systems generated access logs, whether those logs were preserved, and whether Epic can prove intent to monetize the data. SelfRx's claim of ignorance may be tactically sound, but it underscores that many health systems have not audited their own third-party integrations in months or years.
What to do this week
Health system leaders should request a full accounting of which third-party applications have API access to patient data in their EHR. For each integration, ask: (1) What data can it retrieve? (2) Are all data access events logged? (3) When was the log last reviewed for anomalies? (4) Is there a contractual cap on volume or frequency of API calls? If your vendor cannot answer these questions in writing, suspend the integration pending audit.
For compliance teams, pull a sample of API access logs for the past 90 days from any third-party health or wellness app connected to your EHR. Look for bulk exports or unusual query patterns. If logs are missing, incomplete, or have gaps, escalate to your EHR vendor's security team and document the finding. This is not paranoia; this is the legal standard that the Epic lawsuit will establish for the industry.