As first reported by the Wall Street journal yesterday and updated today, and collaborated by the New York Times, Google is once again violating the public trust and using your personal data without the data owner’s permission and with no compensation to the owner. Now this has

sparked a federal inquiry and criticism from patients and lawmakers

At issue for regulators and lawmakers who expressed concern is whether Google and Ascension are adequately protecting patient data in the initiative, which is codenamed “Project Nightingale” and is aimed at crunching data to produce better health care, among other goals. Ascension, without notifying patients or doctors, has begun sharing with Google personally identifiable information on millions of patients, such as names and dates of birth; lab tests; doctor diagnoses; medication and hospitalization history; and some billing claims and other clinical records. The Office for Civil Rights in the Department of Health and Human Services “will seek to learn more information about this mass collection of individuals’ medical records to ensure that HIPAA protections were fully implemented,” the office’s director, Roger Severino, said. Source: op. cit. WSJ

As reported by the Guardian, an anonymous whistle-blower posted here, indicated that “The data is being transferred with full personal details including name and medical history and can be accessed by Google staff. Unlike other similar efforts it has not been made anonymous though a process of removing personal information known as de-identification.” which would violate HIPAA rules among others.

“The optics are bad. The legal argument is tenuous. Ethically, this is a bad strategy. They need to tell people what they are doing,” said Ellen Wright Clayton, a professor of biomedical ethics at Vanderbilt University. She said the Alphabet Inc. unit risks running afoul of the rules if it uses the health data to perform independent research outside the direct scope of patient care.

Google would not comment if it would conduct research with the data which would in itself be a violation of HIPAA, and people familiar with the project said workers are still going through Ascension’s collections and do not know what might be produced.

In meetings and presentations reviewed by the Journal, Google has laid out deep ambitions for the project. Google executives describe the goal as a “layer” of patient information that is essentially an entire personal health record. Artificial intelligence would immediately jump in with suggested questions, and its own answers, such as risks of a given treatment plan. Project Nightingale would then automatically predict and map the outcome of certain procedures or medications.

Doctors and other Ascension medical staff, as well as Google employees, would be able to pull up far-flung patient data faster than under Ascension’s current system. Conceptual images of the software under construction show an interface much like Google’s flagship search engine. Begin to type in a first name, and Google will produce a drop-down menu featuring other patients with similar names. A single click reveals metabolic data, medications, phone numbers and even the patient’s temperature. Software would be able to automatically read scanned images such as MRIs and upload related data to a central network accessible to Ascension and some Google employees.

The concept gave some Ascension patients pause.“Google is not doing this out of the goodness of their heart,” said Tim Wiesner, a 63-year-old retired nurse and Ascension patient in Wichita, Kan. He said he was disappointed not to have been notified of the data sharing directly by his doctor. “It just seems deceitful. I’m sure they are going to make money off our information. Source: Op. cit. WSJ

And Google has a history of deceit.

In 2017, a British government watchdog agency ruled that the Royal Free National Health Service Foundation Trust, a major health provider, had violated a data protection law when it transferred medical records to DeepMind, an A.I. lab in London owned by Google’s parent company, without sufficiently informing patients.

DeepMind further outraged privacy groups in 2018 when it announced plans to transfer the unit that processed the medical records to Google, after saying that it would not link patient data to Google accounts. DeepMind’s health team officially joined Google in September. In absorbing DeepMind’s health unit, Google said, it was building “an A.I.-powered assistant for nurses and doctors.”

In June, Google, the University of Chicago Medical Center and the University of Chicago were sued in a potential class-action lawsuit accusing the hospital of sharing hundreds of thousands of patients’ records with the technology giant without properly stripping the records of identifiable date stamps or doctors’ notes.

In a research paper published last year, the company said it had used electronic health record data of patients — including diagnoses, procedures and medications at the University of Chicago Medical Center — from 2009 to 2016. The paper states that the records were “de-identified,” except that “dates of service were maintained.”

The lawsuit said the inclusion of dates was a violation of HIPAA, in part because Google could combine them with other information it already knew, like location data from smartphones, to establish the identity of the patients in the medical records. Source op. cit. NYT

As one comment to the NYT article stated “Big Tech, Big Pharma, and Big Brother all rolled into one. What could possibly go wrong?”

Indeed. Google et. al. needs to broken up and highly regulated when it comes to issues of privacy. US. Federal and State laws (in the absence of Federal action) need to be modernized and stiffened to reign in these tech monopolists. The “Right to Forgotten” needs to extend to all corners of “big data.” Maximum privacy needs to the default setting not a complex opt. out. schema.

Above all, citizens need to speak up, get involved and wise up on issues such as these.

Comments welcome