PUBLIC NOTICE

Substitute Web Notice to John Muir Health Patients Regarding Potential Impact to Protected Health Information – May 5, 2026

John Muir Health is committed to protecting the confidentiality and security of our patients’ information. Regrettably, this notice concerns an incident involving protected health information.

John Muir Health participates in automated electronic data exchanges called Health Information Exchanges (“HIEs”) to support patient care, quality, and care coordination.  Federal regulations require that health information be shared electronically between health care providers and hospitals involved in the treatment and care of shared patients.

On January 13, 2026, Epic Systems — John Muir Health’s electronic medical records provider — notified us that a health information network called Health Gorilla, and certain participants of this network, may have improperly accessed patient medical records available through the HIE stating the health information was needed for treatment purposes. Due to the inability to confirm whether these companies actually provided treatment or had proper authorization for the information they obtained, the companies involved were suspended from participation in the HIE and cannot request any additional health information while the matter is under investigation.

On April 9, 2026, John Muir Health completed a thorough investigation of this matter and discovered between September 4, 2024, and November 12, 2025, JMH medical records were requested by one or a combination of the following participants in the Health Gorilla HIE: Mammoth Path Solutions, GuardDog Telehealth, SelfRx LLC, Ravilla Med, and/or Critical Care Nurse Consultants. The information disclosed included a combination of demographic information, clinical information, photo identification, and/or an insurance card. While John Muir Health has no reason to believe that the protected health information involved was, or will be, disclosed or used in a harmful manner, we are notifying the impacted patients and encouraging them to monitor for any potential incidents of fraud or identity theft.

Individuals who do not receive a letter from John Muir Health regarding this matter were most likely not impacted by this incident.

At John Muir Health, protecting and securing patient information is a top priority. We deeply regret any inconvenience and stress this incident may have caused patients. We are currently reviewing this matter, re-educating staff and reviewing our policies and practices so that we can prevent a future occurrence.

If you have questions on this posting, or would like to know more information, please contact the John Muir Health Privacy Office at 1-844-915-1230.