Notice of Data Security Incident Related to TEFCA and Health Gorilla

Website Substitute Notice

Mosaic Health System is posting this substitute notice to provide individuals with information about the data security event and to share resources available to people whose personal data was potentially impacted. We have mailed letters to individuals whose information may have been involved in this event. However, because we may not have addresses for everyone, we are posting this substitute notice on this website, as allowed by the Health Insurance Portability and Accountability Act (HIPAA).

What Happened?

On or about 1/13/2026, Mosaic was notified by Epic, our Electronic Health Record provider, that there may have been misuse of the Care Quality platform by participants who were provided connection by the company Health Gorilla. Care Quality is an extension of Care Everywhere, which allows providers to exchange information for treatment purposes, as permitted under the HIPAA Privacy Rule. Per Epic, all of Health Gorilla’s participant organizations claimed a “Permitted Purpose of Treatment” when requesting and retrieving records from Epic, however, due to exchange trend anomalies and concerns reported by other Epic customers, Epic became concerned with the use of records by Health Gorilla participants, including RavillaMed, Mammoth Path Solutions, Mammoth DX, SelfRX, and GuardDog Telehealth. As a result, Epic has suspended the gateway for exchange through the platform to those identified entities.

Please note, all electronic health records that may have been disclosed through this gateway to listed participants were requested under a Permitted Purpose of Treatment. There is no programmatic way to determine whether those requests were used for the permitted treatment purpose, and we are notifying patients out of an abundance of caution. Information disclosed may have included clinical information (diagnosis, conditions, lab results, medication, care plans, and other treatment related information), demographic information (address, date of birth, driver’s license, name), and financial information (insurance card).

Please note, that participants within this health exchange gateway are to be managed by the implementors such as Epic and Health Gorilla. These requests, submitted on the basis of a treatment purpose, are not manually reviewed by Mosaic. Mosaic is attached to the gateway to ensure interoperability for patient care continuity and quality outcomes. It is the responsibility of the implementors to ensure the obligation of treatment purpose is maintained with each request.

What can you do?

Although financial information largely was not impacted in this incident, here are steps individuals can take to protect themselves:

Individuals should be on the lookout and regularly monitor the explanation of benefits statements received from their health plan and statements from health care providers, as well as bank and credit card statements, credit reports, and tax returns, to check for any unfamiliar activity.
If individuals notice any health care services they did not receive listed on an explanation of benefits statement, they should contact their health plan or doctor.
If individuals notice any suspicious activity on bank or credit card statements or on tax returns, they should immediately contact their financial institution and/or credit card company or relevant agency.
If an individual believes they are the victim of a crime, they can contact local law enforcement authorities and file a police report.

Contact us

If you have questions regarding this notice, please feel free to contact Compliance at (816) 271-6006.