Epic Systems is often presented as a neutral software company. But public reporting, court filings, and Epic’s own product materials show something far more consequential: one dominant health IT company now sits at the center of how sensitive behavioral-health information is stored, shared, and used for outreach across major health systems.
That concentration creates two urgent public risks: security and the marketing of diagnosis.
The security risk is straightforward. Behavioral-health records are among the most sensitive files in medicine, and EHR-related breaches remain a widespread problem across healthcare. When Medicaid and behavioral-health records for large child populations are concentrated in a small number of digital systems, the issue is no longer just privacy.
Lawmakers, behavioral health lobbyists, and drug companies use stigma, HIPAA, even on dead shooters to hide psychiatric drug involvement in mass shootings. When a few digital companies control Medicaid and behavioral health records for millions of children, this isn’t a privacy issue, it’s a national security threat. Psychiatric diagnoses, psychotropic medications, and prescribing doctors systematically vanish from every crime scene. The IT behavioral health companies themselves, appear to be the exact security risk HIPAA was meant to prevent.
The legal cases against Epic show why concentration matters. Particle Health alleged that Epic used its dominance in electronic records and data exchange to exclude a rival from the market. Epic got many claims dismissed, but not the most important ones. In September 2025, a federal judge allowed core monopolization claims to proceed, meaning Epic still had to defend against the central allegation that it used market power anti-competitively. Reuters and other outlets reported that Epic failed to secure full dismissal and remained exposed on the core monopoly theory.
The public should also understand who holds this influence. Epic is privately controlled by founder and CEO Judy Faulkner, who was appointed by President Barack Obama in 2009 to the federal Health IT Policy Committee and served until 2014 as the representative of health IT vendors. This is not a partisan point. It is a power point. Faulkner had a seat inside the policy process while the modern national health IT framework was being built, and public reporting has described her as a major political donor with a net worth estimated at about $7.8 billion.
The second risk is how diagnoses become the basis for data-driven outreach. Epic has openly expanded into healthcare “consumerism” through its Cheers CRM platform, marketed as a tool for health systems to run campaigns using thousands of EHR data points. That may be called patient engagement. But when the underlying data include mental-health diagnoses, psychotropic medication histories, missed appointments, crisis visits, or suicide-risk flags, the line between care coordination and diagnosis-based marketing becomes dangerously thin.
This matters most in Medicaid behavioral health. Children in Medicaid often move through fragmented systems involving hospitals, school-based clinics, community mental-health centers, telehealth programs, and public agencies. Their records can travel across multiple settings while families have little visibility into how those records are used to trigger reminders, prompts, referrals, and program enrollment. This is a looks like a major breach on informed consent and certainly would be why HIPPA exists in the first place to protect the consumers medical records.
Hellbound and Down 