Lawyers, medical professionals and tech experts have reacted with a mixture of horror and fury after it emerged that Google has been secretly acquiring sensitive medical data on millions of people without their knowledge or consent.
Questions were immediately raised around the ethics of the data-gathering operation – code-named Project Nightingale – as well as the security of patient data.
Others called for an immediate change to privacy laws after Google and Ascension, the healthcare organisation it has partnered with, boasted that the scheme is completely legal.
Dr. Robert Epstein, an author, medical researcher and former editor-in-chief at Psychology Today, summed up the mood when he tweeted: ‘You can’t make this s*** up. #BeAfraid.’
Google has been found to have gathered healthcare data on tens of millions of Americans after secretly partnering with Ascension, the country’s second-largest healthcare provider
The data includes names, dates of birth, test results, hospitalization records and diagnoses that were handed over with the knowledge or consent of patients
Dr Epstein was one of a host of figures to speak out after it was revealed Google has been gathering patient data from Ascension, America’s second-largest health system, since last summer.
The data includes names, dates of birth, lab results, doctor diagnoses and hospitalization records on ‘tens of millions of patients’, according to the Wall Street Journal, which first exposed the story.
Neither doctors nor patients were informed that the data-gathering was taking place or given the chance to opt-out.
Following the report, both companies put out press releases acknowledging the partnership, insisting it was designed to ‘improve patients outcomes’, and that it complied with all existing privacy laws and included ‘robust’ data protections.
Chris Vickery, director of cyber risk research for security firm UpGuard, was among those calling for an immediate change to the law.
He tweeted: ‘Lawmakers need to, right now, put some teeth in the consequences for future abuse of this data.
‘It’ll happen if it is not already happening. Put them on notice. Add in mandatory minimum prison time for execs and other employees responsible for any abuses.’
Tech experts, lawyers and medical professionals reacted with a mixture of horror and fury to the news, with many calling for a change to medical privacy laws
Walt Mossberg, a former technology columnist for the Wall Street Journal and now a leading voice in the industry, added: ‘This is why (a) we need a federal privacy law and (b) can’t be trusted and (c) neither can some giant hospital networks.
‘Note that patients were in the dark and consent wasn’t obtained.’
One Twitter user, going only by the handle Irenes and claiming to be a former Google worker, added their concerns.
‘This is scary. HIPAA (the law covering patient privacy) wasn’t written with privacy protection as its main goal, it’s a lot more permissive than people realize.
‘The fact that so many people seem to feel as though this ought to be a HIPAA violation really highlights the gap between public understanding, and what the law actually says.
‘The law should be much, much stronger – that’s the real story here.’
Julie Rovner, chief health correspondent for Kaiser Health News, added: ‘1) this is apparently perfectly legal. 2) What could possibly go wrong?’
Meanwhile others pointed out that the news puts Google’s recent acquisition of Fitbit in an entirely new light.
At the time of the acquisition, many of the company’s 28million users announced they were throwing their devices away for fear of Google getting its hands on potentially sensitive medical information.
At the time, Google sought to allay fears by saying ‘will be transparent about the data we collect and why’ and will ‘never sell personal data to anyone’.
Others pointed out that the news puts Google’s recent acquisition of Fitbit, including the health data it holds on some 28million customers, into an entirely new light
Tiffany C. Li, a legal scholar working in privacy and tech, attempted to bring the issue to the attention of politicians
However, following the disclosure of Project Nightingale, observers said those concerns had been largely verified.
Tiffany C. Li, an attorney and legal scholar working in tech and privacy, wrote simply: ‘How’s that Fitbit acquisition looking now?’
Hugh Langley, editor of two smart tech publications, added: ‘*This* is why Google bought Fitbit.
‘The big picture is about getting closer to patients, not about the Apple Watch.
‘The deal is already under a lot of scrutiny by some regulators – this story validates those concerns.’
Google says the partnership is aimed at ‘improving patient outcomes and saving lives’ and is compliant with the Health Insurance Portability and Accountability Act (HIPAA) which controls the privacy of health data.
The act allows hospitals to share patients’ medical data with business partners on the condition that it is used to ‘help the entity carry out its healthcare functions.’
As part of its deal with Ascension, Google says the data can only be used for the purpose of providing healthcare at Ascension and will not be combined with consumer data.
Ascension says the partnership is designed to ‘optimize the health and wellness of individuals and communities’.
However, WSJ gives more information, saying that Google’s end goal is to create a search tool to aggregate patient data and host it all in one place.
Ascension, meanwhile, aims to mine data to identify additional tests that could be necessary or other ways to generate more revenue from patients.