A Texas-based health technology company has admitted in court that it accessed patient medical records and provided them to law firms—raising new concerns about how sensitive health data is being used in the legal system.

According to The Washington Post, GuardDog Telehealth acknowledged that its business “instead focused on requesting, reviewing, and summarizing medical records, and providing those medical records to law firms.” What was represented as healthcare access, according to the filings, became something very different in practice.

The scope is significant. The company was tied to roughly 6,000 patient records, part of about 300,000 records that Epic Systems, one of the nation’s largest electronic medical record companies,  said were allegedly accessed without patient consent across multiple entities. And the issue wasn’t theoretical: Epic first raised concerns after noticing that law firms already “appeared to have access to patient records.”

GuardDog maintains it “has always maintained that it acted in good faith.” But the case points to a broader breakdown in the system. Networks designed to allow doctors and hospitals to securely share patient data for treatment may also be vulnerable to misuse by third parties operating outside traditional healthcare tools – for litigation purposes.

That is where this becomes a Texas policy issue.

Texas has taken the lead in cracking down on abusive litigation. But this case shows a new front: data. If medical records can be accessed, reviewed, and routed into lawsuits, then the incentives driving litigation are expanding upstream, before a case is ever filed.

Policymakers should take this seriously. 

 Bad actors should be prohibited from exploiting sensitive health data. Systems built for patient care should not be repurposed for abuse. Patient records must exist for care, not case generation.

Because once data becomes a tool for starting lawsuits, the system is no longer protecting patients, it risks being used to target them.