90 incidents on record · 2026 Headlights Incident reports by Ellie Harris · Melbourne
10 new this week Library last updated 13 July 2026
← The incident library
HD-INC-055
Healthcare · United States · 2021 · Unvalidated clinical model

Epic's sepsis-warning model ran in hundreds of hospitals, and an external test found it missed about two-thirds of cases while flooding clinicians with false alarms

By Ellie Harris · Filed External validation published June 2021

Alleged: Epic Systems Corporation developed or deployed the AI system implicated in this incident. Details are drawn from public reports; parties are presumed innocent of any wrongdoing not established by an official finding.

Epic's sepsis-warning model ran in hundreds of hospitals, and an external test found it missed about two-thirds of cases while flooding clinicians with false alarms

What happened

Sepsis kills quickly, and catching it early saves lives, so a tool that warns clinicians before a patient deteriorates is valuable. Epic Systems, whose software holds the medical records of a large share of American hospital patients, built such a tool into its electronic health record: the Epic Sepsis Model, a proprietary algorithm that scored hospitalised patients for the risk of sepsis and raised an alert when the score crossed a threshold. It was switched on across hundreds of hospitals.

In June 2021, researchers at the University of Michigan, led by Andrew Wong, published an external validation of the model in JAMA Internal Medicine. They ran it against the records of 27,697 adult patients, covering 38,455 hospitalisations, admitted to Michigan Medicine, and compared what the model predicted against what actually happened. The results were a long way from the marketing. The model’s ability to distinguish patients who would develop sepsis from those who would not, measured as area under the curve, was about 0.63, against the 0.76 to 0.83 range Epic had reported. In practice that meant it missed roughly two-thirds of the patients who had sepsis, 1,709 of 2,552, even as it generated alerts on close to a fifth of all hospitalised patients. It rarely caught what clinicians had not already suspected. The combination, low sensitivity and high alert volume, is the worst of both: it failed to flag the cases that mattered while contributing to the alert fatigue that makes clinicians tune warnings out.

Part of the gap between Epic’s numbers and Michigan’s traced to how the model had been built and measured. Reporting by STAT found the model used whether a clinician had already ordered antibiotics as one of its inputs, which flattered its apparent performance, since by the time antibiotics are ordered sepsis is often already suspected, and that this was not publicly disclosed. An accompanying JAMA Internal Medicine editorial put the lesson in its title: “The Epic Sepsis Model Falls Short, The Importance of External Validation.”

Epic disputed the study, arguing in part that performance depended on local calibration and on how each site used the tool. It subsequently overhauled the model; documents surfacing in 2022 showed the changes, including a recommendation that hospitals retrain the model on their own patient data before relying on it, a revised definition of sepsis onset, and reduced reliance on the antibiotic-order signal. No single patient harm was the headline here. The harm was structural: a clinical tool whose real-world accuracy had not been independently established was running, widely, as though it had.

What an auditable version would have shown

The question that mattered about the Epic Sepsis Model was not whether it could score a risk, but how well its scores held up against outcomes in the hospitals actually using it, and that question went unanswered at scale for years. The model’s marketed performance came from the vendor; the independent performance came from one academic group, after the fact, at one health system. Between the claim and the validation sat hundreds of deployments running on trust.

An auditable version makes a model’s live performance a measured, ongoing fact rather than a launch-day brochure figure. It records each alert the model fires, each case it stays silent on, and the eventual clinical outcome, and computes from those records the model’s actual sensitivity and false-alert rate at that site, over time. With that, a model missing two-thirds of sepsis cases is a number a hospital can see on its own patients within weeks, bound to the records it was computed from, rather than something a journal article reveals two years later. Independent, continuing validation stops being an academic exercise and becomes a standing property of the deployment.

Where the gap was

The gap was that a clinical model was sold and deployed on performance claims that no independent, continuing measurement on real patients had confirmed, and that nothing at each site was generating that measurement as the model ran. A vendor’s reported accuracy is a starting point; whether the tool achieves it in a given hospital is an empirical question that only that hospital’s data can answer.

A MetricRecord is the control: a signed, recomputable measure of the model’s sensitivity, false-alert rate and calibration, computed over the site’s own recorded outcomes, so that performance is monitored continuously rather than asserted once. A ConductRecord is its foundation: a record of each prediction and the outcome it was tested against, which is what a MetricRecord is computed from and what lets an independent party check the figure rather than take it on faith.

What governance should have looked like

The pattern recurs across high-stakes AI sold on a performance number: the number is real in the setting where the vendor measured it and unverified everywhere it is deployed, and without local, ongoing validation the gap between the two is discovered in patients rather than in testing. A model’s accuracy is not a property of its marketing; it is a property of its use, and it has to be measured there.

The reference implementation of MetricRecord and ConductRecord is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. The repository is public now.

Sources

The mailing list

Fresh incident reports every week. One email to match.

We add new incidents to the library regularly, and send a single short email each week with what's new. The library stays free and open; this is just how you keep up with it.

No tracking. Unsubscribe in one click.

The record

An auditable system would have produced a signed, tamper-evident record the moment this happened: what the system did, the version that did it, the basis it acted on, and the action taken, and Epic Systems Corporation could have produced it on demand.

This is the record the system as deployed did not produce in a signed, auditable form.

What this teaches
Capture what happened when it happens
What the system did, the version that did it, the basis it acted on, and the action taken, recorded at the moment, not reconstructed after.
Sign it, so no one has to trust the record-keeper
A tamper-evident entry. Edit it later and the signature breaks. The record does not ask for the benefit of the doubt.
Make it verifiable by anyone
A court, a regulator, a customer's lawyer can check the record themselves, without taking the company, or us, at our word.

Headlights summarises publicly reported AI incidents. All summaries are independently written, attributed to their original sources, and intended for research and educational purposes. Allegations are identified as such until established through official findings.

Last reviewed June 2026. This report is based on the sources listed above and reflects information available at the time of review; later developments may not be captured. Where a person is described as charged with or alleged to have done something, that allegation is unproven unless a conviction or a court or regulatory finding is stated. Headlights publishes journalism and commentary, not legal advice.

Want to write back?

Direct to my inbox.

ellie@useheadlights.com →