Tech giant Google is reportedly engaged in collecting the personal health information of tens of millions of Americans across 21 states — a project dubbed “Project Nightingale” — and has not notified patients or doctors about what they are doing.
“Google began Project Nightingale in secret last year with St. Louis-based Ascension, a Catholic chain of 2,600 hospitals, doctors’ offices and other facilities, with the data sharing accelerating since summer,” according to internal documents obtained exclusively by The Wall Street Journal. “The data involved in the initiative encompasses lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, including patient names and dates of birth.”
“Neither patients nor doctors have been notified,” the Journal added. “At least 150 Google employees already have access to much of the data on tens of millions of patients, according to a person familiar with the matter and the documents.”
Google teamed up with Ascension, a Catholic chain of 2,600 hospitals spread out over 21 states and in the District of Columbia, and other doctors offices launch the project last year.
Forbes reports that the project “involves Ascension moving patient records onto Google’s cloud servers and includes a search product that allows Ascension healthcare providers to see an ‘overview page’ about their patients. The page includes complete patient information as well as notes about patient medical issues, test results and medications, including information from scanned documents, according to presentations viewed by Forbes.”
“A source familiar with the project said that patients are not aware of Google’s access to their data, though patient privacy laws generally allow the sharing of patient data with third parties without notification if it is for purposes that ‘help it carry out its health care activities and functions,'” Forbes added. “Ascension employees have raised concerns internally, according to documents, about patient data privacy.”
The Journal and Forbes both reported that it appeared as though Google’s actions were not in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The New York Times reported over the summer that Google has been accused of inappropriate access to massive amounts of health care records through the University of Chicago Medical Center.
On June 26, the Times reported, “The University of Chicago, the medical center and Google were sued in a potential class-action lawsuit accusing the hospital of sharing hundreds of thousands of patients’ records with the technology giant without stripping identifiable date stamps or doctor’s notes.”
“The deal with the University of Chicago medical center violated patient privacy, the lawsuit claims, because those records also included date stamps of when patients checked in and checked out of the hospital,” the Times added. “The records included patient demographics, diagnoses, procedures, medication and other data. The paper states that the records were ‘de-identified,’ except that ‘dates of service were maintained.’ The paper also noted that the University of Chicago had provided ‘free-text medical notes’ that were de-identified.”
Late last year, Google was fined $170 million by the Federal Trade Commission (FTC) in a settlement following the FTC’s investigation into allegations that Google was violating child privacy laws.
“Google LLC and its subsidiary YouTube, LLC will pay a record $170 million to settle allegations by the Federal Trade Commission and the New York Attorney General that the YouTube video sharing service illegally collected personal information from children without their parents’ consent,” The FTC said in a statement. “The settlement requires Google and YouTube to pay $136 million to the FTC and $34 million to New York for allegedly violating the Children’s Online Privacy Protection Act (COPPA) Rule. The $136 million penalty is by far the largest amount the FTC has ever obtained in a COPPA case since Congress enacted the law in 1998.”