Google’s data-sharing deal with hospital is ‘greatest heist’, lawsuit claims
Image credit: reuters
A class action lawsuit has been filed against the University of Chicago Medical Centre over its data-sharing agreement with Google.
The project intends to improve predictive analysis in medicine, such as by predicting how long a patient may need to be hospitalised and whether their health is improving or deteriorating. Hundreds of thousands of patient records from 2009 to 2016 were shared with Google under the terms of the agreement.
According to the class action lawsuit (which was filed by a patient in the US District Court for Northern Illinois) the agreement allows for too much personal information to be shared, such as doctor’s notes and date stamps. The lawsuit argues that Google would be capable of determining the identity of every patient from their medical records, such as by matching data entered into Google Maps, Calendar, or Search to determine when individuals had appointments at the hospital.
If individuals were identifiable from their health records, this would violate the 1996 Health Insurance Portability and Accountability Act (HIPAA), which governs how healthcare information can be protected while being shared between organisations.
“The personal medical information obtained by Google is the most sensitive and intimate information in an individual’s life, and its unauthorised disclosure is far more damaging to an individual’s privacy” than being targeted by hackers, the lawsuit says. The lawsuit argues that the records “were not sufficiently anonymised and put the patients’ privacy at grave risk”.
The lawsuit condemns the agreement as the “greatest heist of consumer medical records in history”.
Both Google and the University of Chicago defended the agreement, with a Google spokesperson saying: “We believe our health care research could help save lives in the future, which is why we take our privacy seriously and follow all relevant rules and regulations in our handling of health data.”
The University of Chicago argued that the medical centre had: “complied with the laws and regulations applicable to patient privacy” and was “committed to providing excellent patient care and to protecting patient privacy”.
In 2015, the London-based Royal Free NHS Foundation Trust entered a data-sharing agreement with Google-owned AI company DeepMind. This allowed vast amounts of data on 1.6 million patients to be passed on to DeepMind in order to develop tools to help doctors and nurses detect kidney injuries. Undisclosed at the time, it came to public attention in 2016. In July 2017, the Information Commissioner’s Office (ICO) rules that the hospital did not do enough to protect its patients privacy, and failed to tell patients enough about the way data was used.
In 2018, DeepMind Health was moved to within Google during a corporate restructuring, breaking a promise that NHS patient data would never be connected to Google services.
Along with Google, Microsoft, IBM, and Apple have all sought partnerships with medical organisations, promising that access to masses of real patient records could lead to the development of AI tools to improve and streamline healthcare, particularly diagnosis. These proposals have been met with criticism from advocacy groups, which argue that these agreements could threaten to violate patient privacy.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.