Google faces lawsuit for misusing millions of people’s medical data

Google is facing the class-action lawsuit in the UK for allegedly using confidential medical records belonging to 1.6 million individuals “without their consent or knowledge”.

DeepMind, the company’s artificial intelligence (AI) division, received the data in 2015 from the Royal Free NHS Trust in London for the purpose of testing a smartphone app called Streams, which aims to address the 25 per cent of deaths from acute kidney injuries that could be avoided through early detection. The app was subsequently used by the Trust on a discount basis.

The Trust was sanctioned by the UK’s Information Commissioner's Office in 2017 after the data protection watchdog deemed the data-sharing deal illegal. At the time, Google avoided sanctions as the responsibility for the breach was placed upon the Trust.

Now, several years after, Andrew Prismalli is bringing the claim in a representative action in the High Court to seek damages for unlawful use of patients' confidential medical records. He claims to be bringing the suit on behalf of approximately 1.6 million individuals whose records were passed to DeepMind.

"I hope that this case can achieve a fair outcome and closure for the many patients whose confidential records were - without the patients' knowledge - obtained and used by these large tech companies,” Prismalli said.

The action is being funded by Litigation Capital Management Limited, an asset management company that focuses on funding legal claims. Last year, the Supreme Court blocked a similar legal action against Google over claims that it secretly tracked millions of iPhone users' web browsing activity despite telling them it was not doing so.

At the time of the Information Commissioner's Office announcement, DeepMind stressed that its "findings are about the Royal Free, [but] we need to reflect on our own actions, too".

The average European user’s data is shared 376 times per day, according to a new study by the Irish Council for Civil Liberties (ICCL), published shortly after the announcement of the lawsuit. The source of the data was a Google feed covering a 30-day period, which was made available to the industry, but not to the public.

According to the ICCL, Google allows 4,698 companies to receive real-time bidding (RTB) data about people in the US, while Microsoft may send data to 1,647 companies. The report offers an estimate per person per day across US states and European countries, which suggests that web users in Colorado and the UK are among the most exposed by the system, with 987 and 462 RTB broadcasts per person per day.

“RTB is the biggest data breach ever recorded,” said the ICCL.

The ICCL is currently engaged in legal action with the digital ad industry and the Data Protection Commission, arguing that nobody has ever specifically consented to this practice. Moreover, a separate 2019 investigation opened by the Irish Data Protection Commission (DPC) into Google’s adtech following a number of RTB complaints, is still ongoing, but no decision has yet been made.