Google is being sued in a potential class-action lawsuit which accuses the tech giant of inappropriately accessing sensitive medical records belonging to hundreds of thousands of hospital patients.
The lawsuit, filed on Wednesday, is the latest example of how tech giants’ forays into the trillion-dollar healthcare industry are being met by concerns over privacy.
In recent years, companies including Microsoft, Apple, and Google have all pitched their services to medical institutions, promising that they can help organize medical data and use this information to develop new AI diagnostic tools. But these plans are often met with resistance from privacy advocates, who say that this data will give tech giants an unprecedented view into the lives of their customers.
The lawsuit in question, which was first reported by The New York Times, is concerned with a deal made in 2017 between Google and the University of Chicago Medical Center (also a defendant). Google was given access to patient records from the University of Chicago Medicine between 2009 and 2016, which it said it would use to develop new AI tools.
In a blog post at the time, Google said it was ready to start “accurately predicting medical events — such as whether patients will be hospitalized, how long they will stay, and whether their health is deteriorating.” The company also noted it would use “de-identified medical records” from Chicago that would be “stripped of any personally identifiable information.”
Wednesday’s lawsuit claims that the company failed to do this. “In reality, these records were not sufficiently anonymized and put the patients’ privacy at grave risk,” it says.
Crucially, the lawsuit says Google received records of when patients were admitted and discharged from the medical center, a potential violation of the federal health data privacy regulation known as HIPAA. This information, says the suit, could be combined with location data collected by Google’s Android mobile OS to reveal individual patients’ identities.
The rest of the information covered in the records is detailed. It includes individuals’ height, weight, and vital signs; whether they suffer from diseases like cancer or AIDS; and records of recent of recent medical procedures, including transplants and and abortions.
The suit says the University of Chicago Medical Center also failed in its duties. “[T]he University did not notify its patients, let alone obtain their express consent, before turning over their confidential medical records to Google for its own commercial gain.”
The lawsuit notably is similar to complaints made against Google’s AI subsidiary DeepMind in the UK. There, DeepMind made a deal in 2015 to access patient records from the UK’s National Health Service (NHS), which it used to develop an app for doctors and nurses. An investigation by the UK’s data watchdog found that the deal “failed to comply with data protection law,” and that DeepMind made “inexcusable” errors while handling the data.
DeepMind later rewrote its contracts with the NHS and established new independent advisory boards to scrutinize its activities. These boards were shut down when the DeepMind department concerned, DeepMind Health, was absorbed into Google.
Google and the University of Chicago Medical Center both deny the accusations laid out in the lawsuit.
A spokesperson for Google told the New York Times: “We believe our health care research could help save lives in the future, which is why we take privacy seriously and follow all relevant rules and regulations in our handling of health.” A spokesperson for the University of Chicago also told the Times that the claims were “without merit.”
Lawsuits such as these are often launched with the intent of attracting more plaintiffs. The lawsuit currently focuses on a single complaint by Matt Dinerstein, who was admitted to the Chicago University Medical Center in 2015.