CHICAGO, Illinois (PNN) - July 2, 2019 - A former University of Chicago medical patient filed a class-action lawsuit against the University of Chicago and Google, claiming that the University of Chicago Medical Center is giving private patient information to the tech giant without patients' consent.
About two years ago, the university medical center partnered with Google with the hope of identifying patterns in patient health records to help predict future medical issues.
Now, former patient Matt Dinerstein is filing a lawsuit on behalf of the medical center’s patients, alleging that the university violated privacy laws by sharing sensitive health records with Google from 2009 to 2016, aiding Google’s goal of creating a digital health record system.
The lawsuit claims that the university deceived its patients by telling them that their medical records would be protected, but ultimately violated the Health Insurance Portability and Accountability Act (HIPAA), a federal law that ensures privacy and security for personal medical data. It also claims that UChicago violated state laws in Illinois that make it illegal for companies to participate in dishonest client practices.
The complaint details Google’s alleged two-part plan: obtain the Electronic Health Record (EHR) of almost every patient at the UChicago Medical Center, then use the information to create its own lucrative commercial EHR system.
“While tech giants have dominated the news over the last few years for repeatedly violating consumers’ privacy, Google managed to fly under the radar as it pulled off what is likely the greatest heist of consumer medical records in history,” the complaint states.
“The compromised personal information is not just run-of-the-mill like credit card numbers, usernames and passwords, or even social security numbers, which nowadays seem to be the subject of daily hacks,” the complaint states. “Rather, the personal medical information obtained by Google is the most sensitive and intimate information in an individual’s life, and its unauthorized disclosure is far more damaging to an individual’s privacy.”
Dinerstein’s lawsuit claims that EHRs contain patient information ranging from height and weight to diseases they carry such as AIDS or diabetes, and medical procedures they have undergone.
The medical records include the demographics of patients, along with their diagnoses, prescribed medicine, and past procedures, the lawsuit alleges. According to the Department of Health and Human Services, HIPAA protects patients' "individually identifiable health information," which includes "demographic data, that relates to the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual."
“The disclosure of EHRs here is even more egregious because the University promised in its patient admission forms that it would not disclose patients’ records to third parties, like Google, for commercial purposes,” the lawsuit continues. “Nevertheless, the University did not notify its patients, let alone obtain their express consent, before turning over their confidential medical records to Google for its own commercial gain.”
Google detailed its use of EHRs, including ones obtained from the University of Chicago, in a 2018 research paper. The Big Tech company claimed that there are no privacy concerns because the records did not include the identities of patients.
Although Google claims to lack the personal identity associated with each set of information, the complaint calls this a “false sense of security” for patients, since Google’s comprehensive data-mining abilities, along with the time and date of each treatment and notes from medical providers that the records contained, allow them to identify each individual.
“While this type of public misinformation campaign may be expected from a tech company that has been known to play fast and loose with the information of its customers, the fact that a prominent institution like the University of Chicago would act in such a way is truly stunning,” the complaint says.
According to the lawsuit, Google has been interested in using algorithms to predict looming health issues. To gain the necessary information, Google first developed a personal health information storage platform that it later discontinued because few consumers participated. The company then bought DeepMind, a startup that uses artificial intelligence (AI) to study health care.
UChicago is not the sole institution that has collaborated with Google regarding medical information. Stanford University and the University of Kalifornia, San Francisco have similar partnerships, according to the research paper published by Google.
UChicago has refused to comment.
A Google spokesman maintained that no laws were violated and that multiple individuals and boards vetted the agreement.