Skip to main content

Google was allegedly collecting millions of Americans' healthcare data [Updated]

Google logo
Google logo (Image credit: Android Central)

What you need to know

  • Google has reportedly been siphoning data from Ascension since the last year.
  • The data shared includes lab results, diagnoses, hospitalization records, and personal information.
  • Patients were not informed of the data-sharing agreement, though Google claims the initiative is fully compliant with federal law.

Updated November 13:

Google has denied (via Bloomberg) it is using the data provided by Ascension to carry out artificial intelligence research, or performing additional processing on the data beyond basic storage and search functionality. The company's top cloud and health execs stated that the partnership with Ascension pertains only to building an internal search engine to aggregate the healthcare provider's disparate records. "That's all we're allowed to do and that's all we are doing," said David Feinberg, VP of Health at Google.

Google Cloud CEO Thomas Kurian also chimed in to clarify that the company's employees do not have access to raw patient records:

All data is logically siloed to Ascension and housed within a virtual private space encrypted with dedicated keys. Google does not sell, share or otherwise combine data from Ascension with any other data.

He also noted that while the company's collaboration with Ascension does not pertain to artificial intelligence research in the first place, when the company does create machine learning models with user data, it makes it a point to anonymize the records that are fed in:

We never actually have Google employees understand individual patients' data when it goes into the model. We have other technologies that de-identify it.

If Google's recent decision to acquire Fitbit has you in knots, your anxiety about the safety of your data may be justified. As The Wall Street Journal reports, the search giant has secretly been accumulating the health data of millions of Americans from 21 different states, in partnership with Ascension, all without patients' knowledge.

Ascension is the second-largest healthcare system in the U.S. and operates more than 2,600 care sites across 20 U.S. states and the District of Columbia, presumably the 21 locales the WSJ report refers to. The extent of the information sharing between the two was extensive, with the story noting:

"The data involved in Project Nightingale encompasses lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, including patient names and dates of birth."

Google claims its program, nicknamed 'Project Nightingale,' is entirely legal under federal law and wholly compliant with the Health Insurance Portability and Accountability Act (or HIPAA), the marquee legislation dealing with health care data. While the law does allow healthcare providers like Ascension to share data with other organizations without informing patients, the scope of this information sharing is ideally restricted "only to help the covered entity carry out its health care functions."

At least 150 Google employees are said to have sweeping access to millions of users' data, with these individuals employed across the spectrum of Alphabet companies and projects. The company aims to use its burgeoning cloud wing to apply AI processing on the collected data in order to identify possible changes to the care plans for individual patients. It also aims to serve as an aggregation service for healthcare data, which has historically been mostly decentralized.

The report paints Ascension's motives as partly altruistic and partly material, suggesting that while the program does enable it to provide better care to its patients, part of the reasoning behind its willingness to share patient data with Google may have been a desire to maximize profits per patient.

Ascension noted the following as part of a statement released after the publication of the story:

"All work related to Ascension's engagement with Google is HIPAA compliant and underpinned by a robust data security and protection effort and adherence to Ascension's strict requirements for data handling."

Have you listened to this week's Android Central Podcast?

Android Central

Every week, the Android Central Podcast brings you the latest tech news, analysis and hot takes, with familiar co-hosts and special guests.

  • Subscribe in Pocket Casts: Audio
  • Subscribe in Spotify: Audio
  • Subscribe in iTunes: Audio (opens in new tab)
  • Just getting more and more evil I see. This tech bubble is going to pop big time in the future just like the last one.
  • Send an SMS about who you want to vote for, what you are going to the doctor for... now your carrier and google have a giant aggregation of data about political sentiment and health trends to sell to the highest bidder. You think the DNC or pharm lobby wouldn't pay for this info? You think China isn't interested in this information?
  • "Project Nightingale encompasses lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, including patient names and dates of birth." This reeks of corruption and a money grab on the part of Ascension. If this is true and patients were not informed and did not give explicit consent to share this data, then this is a HIPAA violation, period. Google has absolutely no business getting involved in private medical records. This is precisely why HIPAA was enacted in the first place. I deal with HIPAA on a daily basis, and even physicians & healthcare facilities must submit specific written request(s) for data from a patient's record, and for each encounter/hospitalization. Any person or entity that obtains medical information — whether it is history, diagnostic tests, consultation notes, or treatment plans — of another individual without that individual's consent is in violation of federal law.
  • While you're not technically wrong... it also all comes down to the fine print. Was there a statement inside the patient's health care plan that allowed the health care plan provider to use acquired data outside of the patients knowledge to better 'care' for their patient? Ontop of that, the health plan provider generally doesn't need any sort of signed statement/agreement, because it is the one footing the bill. I can count on a single hand how many times I've had to sign something in order for my health plan provider to have access to my medical info... and that is ZERO. I've signed to acknowledge that they'll be paying for the bill, but never for explicitly giving them access to my medical data.