Tech

Google And The University Of Chicago Are Being Sued Over Potential Privacy Violation Of Patients’ Medical Data

Photo by Drew Angerer/Getty Images

Lexi Lonas Contributor
Font Size:

Google and The University of Chicago are being sued by a former patient of UChicago Medicine who filed a class action lawsuit in the Northern District of Illinois. The lawsuit claims patients’ privacy rights were violated when UChicago Medicine shared hundreds of thousands of patients’ records with Google.

The lawsuit, filed Wednesday by Matt Dinerstein, claims the University didn’t get permission from their patients to share their information with Google and were their identities were not properly hidden when the records were handed over. It says the records included the time and date patients were in and out of the hospital as well as doctor’s notes.

“Google managed to fly under the radar as it pulled off what is likely the greatest heist of consumer medical records in history,” the lawsuit says.

The collaboration between Google and The University of Chicago started back in 2017 when the University of Chicago agreed to share medical records from 2009-2016 with Google in exchange for them working to improve AI technology and predictive analysis methods in medicine, the New York Times reported.

The release of patients’ medical records was “even more egregious” because when patients enter the Medical Center they sign admission forms in which the University agrees it will not share their records with third parties like Google, according to the lawsuit. (RELATED: Ask Google If Men Can Get Pregnant And The Answer Is ‘Yes’)

“The claims in this lawsuit are without merit,” a spokeswoman for the University of Chicago Medical Center, said in a statement to The Daily Caller. “The University of Chicago Medical Center has complied with the laws and regulations applicable to patient privacy.”

The Medical Center works to improve their patients’ lives and “pursue research partnership to advance health care.” The partnership they entered in with Google “was appropriate and legal and the claims asserted in this case are baseless and a disservice” to the Center’s goal of giving their patients the best care.

“The University and the Medical Center will vigorously defend this action in court,” the statement concluded.

CHICAGO, IL - DECEMBER 14: Dr. Phillip Verhoef speaks at a rally hosted by University of Chicago medical students to call on Congress to reauthorize funding forthe Children's Health Insurance Program (CHIP) on December 14, 2017 in Chicago, Illinois. On September 30, congress let funding for CHIP expire, leaving states to carry the burden for medical expenses of the 9 million children enrolled in the program. (Photo by Scott Olson/Getty Images)

CHICAGO, IL – DECEMBER 14: Dr. Phillip Verhoef speaks at a rally hosted by University of Chicago medical students to call on Congress to reauthorize funding forthe Children’s Health Insurance Program (CHIP) on December 14, 2017 in Chicago, Illinois. On September 30, congress let funding for CHIP expire, leaving states to carry the burden for medical expenses of the 9 million children enrolled in the program. (Photo by Scott Olson/Getty Images)

Google has also denied the allegations, telling The Daily Caller in an emailed statement, “We believe our healthcare research could help save lives in the future, which is why we take privacy seriously and follow all relevant rules and regulations in our handling of health data.”

Back in 2017 when Google made the deal with the University, they made a blog post explaining they “are ready to do more” in the field of medical technology stating “machine learning is mature enough to start accurately predicting medical events.”

In 2018, UChicago Medicine made a post explaining electronic health records and answering questions. They announced that they published a study in collaboration with Google, Stanford University and University of California-San Francisco.

The post said they “found that software models using de-identified data from medical records could accurately predict unplanned readmissions to the hospital, prolonged length of stay, discharge diagnoses, and even early deaths in the hospital.”

When asked how they were protecting the private information of their patients, the University responded they have a special team who “de-identified” records. All identifying information such as “names, dates of birth, Social Security numbers and any other unique characteristic or code” were purged from the records before they were given to Google.

According to HIPAA Privacy Rule, hospitals are allowed to share medical records with others as long as information is “de-identified,” which means purging the patient’s name and Social Security number from the records. Hospitals also may only share elements of dates.

Google tracks people’s locations “through a variety of means including users of Android phones and its mobile applications, like Maps and Waze.” If Google did receive the dates when patients arrived and left the hospital, the lawsuit alleges they could combine that data with the location data they collect and be able to identify the person. (RELATED: Inside Google’s Microaggressions Newsletter: Pronoun Problems, Soy Police, And A Deaf Person Told To Watch Her ‘Tone’)

This lawsuit resembles one that happened against DeepMind, an A.I. lab that is owned by Alphabet, Google’s parent company, in London. DeepMind made a deal with the UK’s National Health Service to access medical records of patients in order to develop an app to assist doctors and nurses, The Verge reported.

A U.K. data watchdog said the deal “failed to comply with data law” and DeepMind handled the data poorly.

Dinerstein is being represented by Jay Edelson, founder of Edelson PC law firm which deals with privacy cases against technology companies.

At the time of the Google and University of Chicago partnership, Google also partnered with UC San Francisco and Stanford Medicine, but lawsuits have not been filed against those universities.

Update: This article has been updated to clarify the privacy requirements of HIPAA.