Google, UChicago Sued In "Greatest Heist" Of Patient Health Data "In History"

Authored by Ethan Cai via Campus Reform,

A former University of Chicago medical patient filed a class-action lawsuit against the University of Chicago and Google, claiming that the University of Chicago Medical Center is giving private patient information to the tech giant without patients' consent. 

About two years ago, the university medical center partnered with Google with the hope of identifying patterns in patient health records to help predict future medical issues.

Now, former patient Matt Dinerstein is filing a lawsuit on behalf of the medical center’s patients, alleging that the university violated privacy laws by sharing sensitive health records with Google from 2009 to 2016, aiding Google’s goal of creating a digital health record system, according to the Chicago Maroon.

The suit alleges that the university deceived its patients by telling them that their medical records would be protected, but ultimately violated the Health Insurance Portability and Accountability Act (HIPAA), a federal law that ensures privacy and security for personal medical data. It also claims that UChicago violated state laws in Illinois that makes it illegal for companies to participate in dishonest client practices. 

The complaint details Google’s alleged two-part plan: obtain the Electronic Health Record (EHR) of almost every patient at the UChicago Medical Center, then use the information to create its own lucrative commercial EHR system.

“While tech giants have dominated the news over the last few years for repeatedly violating consumers’ privacy, Google managed to fly under the radar as it pulled off what is likely the greatest heist of consumer medical records in history,” the complaint stated.

“The compromised personal information is not just run-of-the-mill like credit card numbers, usernames and passwords, or even social security numbers, which nowadays seem to be the subject of daily hacks.” 

“Rather, the personal medical information obtained by Google is the most sensitive and intimate information in an individual’s life, and its unauthorized disclosure is far more damaging to an individual’s privacy.”

Dinerstein’s lawsuit claims that EHRs contain patient information ranging from height and weight to diseases they carry such as AIDS or diabetes and medical procedures they have undergone.

The medical records include the demographics of patients, along with their diagnoses, prescribed medicine, and past procedures, the lawsuit alleges. According to the Department of Health and Human Services, HIPAA protects patients' "individually identifiable health information," which includes "demographic data, that relates to...the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual."

“The disclosure of EHRs here is even more egregious because the University promised in its patient admission forms that it would not disclose patients’ records to third parties, like Google, for commercial purposes,” the lawsuit continued. “Nevertheless, the University did not notify its patients, let alone obtain their express consent, before turning over their confidential medical records to Google for its own commercial gain.”

Google detailed its use of EHRs, including ones obtained from the University of Chicago, in a 2018 research paper. The Big Tech company claimed that there are no privacy concerns because the records did not include the identities of patients.

Although Google claims to lack the personal identity associated with each set of information, the complaint calls this a “false sense of security” for patients, since Google’s comprehensive data-mining abilities, along with the time and date of each treatment and notes from medical providers that the records allegedly contained, allow them to identify each individual. 

“While this type of public misinformation campaign may be expected from a tech company that has been known to play fast and loose with the information of its customers, the fact that a prominent institution like The University of Chicago would act in such a way is truly stunning,” the complaint said. 

According to the lawsuit, Google has been interested in using algorithms to predict looming health issues. To gain the necessary information, Google first developed a personal health information storage platform that it later discontinued because few consumers participated. The company then bought DeepMind, a startup that uses artificial intelligence (AI) to study health care, reported the Chicago Tribune.

UChicago is not the sole institution that has collaborated with Google regarding medical information. Stanford University and the University of California, San Francisco have similar partnerships, according to the research paperpublished by Google.

Campus Reform reached out to UChicago for comment bud did not receive a response in time for publication.

In a statement to Campus Reform, a Google spokesperson maintained that no laws were violated and that multiple individuals and boards vetted the agreement.