Google Slurps 150 Hospitals’ Patient Data With No Consent

The mysterious Project Nightingale has been revealed as a secret Google operation to store and manipulate the healthcare data of millions of patients. Nobody consented—nobody was asked.

Google claims it’s all legal. Perhaps it is, but is it ethical? And is it a good look to be found out?

It’s no wonder people don’t trust Google any longer. In today’s SB Blogwatch, we feel sick.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: diabetuhs.


Florence Looks Cross

What’s the craic? Rob Copeland reports—“‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans”:

 Google is engaged with one of the U.S.’s largest health-care systems on a project to collect and crunch the detailed personal-health information of millions of people across 21 states. [It] appears to be the biggest effort yet by a Silicon Valley giant to gain a toehold in the health-care industry through the handling of patients’ medical data.

Google began Project Nightingale in secret last year. … Neither patients nor doctors have been notified. … Privacy experts said it appeared to be permissible under federal law [HIPAA].

The data involved in the initiative … amounts to a complete health history, including patient names and dates of birth. [But] staffers across … Google’s parent have access to the patient information.

Google, like many of its Silicon Valley peers, has at times drawn criticism for not doing enough to protect user privacy. … Google co-founder Larry Page, in a 2014 interview, suggested that patients worried about the privacy of their medical records were too cautious.

Yikes, is that true? Natasha Singer, Daisuke Wakabayashi, Reed Abelson, and Aaron Krolik second-source the claims—“Google to Store and Analyze Millions of Health Records”:

 The partnership between Google and the medical system, Ascension, could have huge reach. Ascension operates 150 hospitals. … It is legal [but] many patients may not trust Google, which has paid multiple fines for violating privacy laws, with their personal medical details.

Google’s handling of health care data is a touchy subject. … Dozens of Google employees may have access to patient data like name, birth date, race, illnesses and treatments, according to … internal documents obtained by [us].

At least a few Ascension employees in the project have raised concerns that Google employees downloaded patient data, according to the internal documents. They have also raised concerns about whether all of the Google software involved in processing Ascension patient data complies with … HIPAA.

Busted! Google’s Tariq Shaukat quickly rushes out a PR blurb about, “Our partnership with Ascension”:

 Today, we’re proud to announce more details on our partnership with Ascension. … There’s been a good deal of speculation … so we want to make sure everyone has the facts.

Our work with Ascension is … a business arrangement to help a provider with the latest technology, similar to the work we do with dozens of other healthcare providers. … All of Google’s work with Ascension adheres to industry-wide regulations.

This is standard practice. … It’s understandable that people want to ask questions.

Standard business arrangement? Nothing to see here? Bogdan Petrovan concludes, “Google rushes to explain what it’s doing with all that medical data”:

 Yesterday, a bombshell report … revealed details about a partnership between Google and Ascension. … For privacy advocates, this revelation is understandably worrying.

Shaukat confirmed Google’s work with Ascension, but said there’s nothing unusual or shady about it. … Google said it merely provides Ascension with some services.

There is … little reason to doubt its claims. … That said, the fact that Google rushed out a blog post to “proudly announce” Project Nightingale speaks volumes.

Google is becoming synonymous with a disregard for privacy, perhaps not entirely unfairly. … The average consumer won’t care, and cannot be expected to know, that Google Cloud is HIPAA compliant or that hospitals have been routinely sharing data … for decades.

Fighting this perception of untrustworthiness is a huge challenge for Google, and it’s only going to get harder.

You can say that again. rnturn doesn’t buy Google’s claims of legality:

 It’s a massive violation of the protections set up under HIPPA. Or, at least, the vast majority of Americans have been led to believe it’s a violation of the law.

Most people think that HIPPA covers any and all disclosures but … employers, insurance companies, and others … aren’t covered by that aspect of the law. This is rarely, if ever, mentioned.

But Farzad Mostashari—@Farzad_MD—worries about culture (and not the sort in a petri dish):

 The perception of Google culture is that no-one curbs the curiosity of engineers. … They have to convince people that they actually have controls in place to ensure that the data is only being used for the purposes of the agreement.

The perception [is] Google’s culture makes it more likely (than at a claims clearinghouse) for an individual engineer to play around with data, not [realizing] they are breaking the terms of [an] agreement.

However, oakmad hopes privacy fears won’t trump actual healing:

 My start up is in the healthcare space. … There’s definitely a group here who think that [patients] just need to accept that their data is going be fed into models … as it will help outcomes and costs, etc.

Having seen some of the results that AI is catching out in the field I’m tending towards universal good over personal privacy – though I may regret that.

So merely a PR flub? Yasmeen Shorish—@yasmeen_azadi—says no:

 We’re out here chasing after ethics education in data science while AI applications are being deployed in secret and potentially problematic ways. The lack of disclosure to patients and doctors is completely inexcusable.

Another example of something legal, but not very ethical.

And QuietLagoon asks the obvious question:

 If the data are so useful to those who steal it from patients and beneficial to those patients, then why perform the collection surreptitiously and without the permission of … the patients?

Meanwhile, ufgrat wonders if—on paper—Google did get permission:

 If patients are being tricked into signing away their rights, the lawsuits could be… spectacular.

And Finally:

So you’ve got diabetes; but how to pronounce it?

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: U. Texas at Austin

Featured eBook
Open Source Security: Weighing the Pros and Cons

Open Source Security: Weighing the Pros and Cons

Over the past few years, open source has grown in popularity, especially among developers using open source code in their application development efforts. Open source software offers incredible benefits to enterprises IT and development efforts. Free, available software libraries mean cost savings, easy customization, speed, agility and flexibility for development and IT teams. There are ... Read More
Security Boulevard

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 105 posts and counting.See all posts by richi