Google Sued For Conspiring To Share Medical Records Against Patient Consent

schwit1 writes: A former University of Chicago medical patient filed a class-action lawsuit against the University of Chicago and Google, claiming that the University of Chicago Medical Center is giving private patient information to the tech giant without patients consent.

About two years ago, the university medical center partnered with Google with the hope of identifying patterns in patient health records to help predict future medical issues.

Now, former patient Matt Dinerstein is filing a lawsuit on behalf of the medical center's patients, alleging that the university violated privacy laws by sharing sensitive health records with Google from 2009 to 2016, aiding Google's goal of creating a digital health record system, according to the student newspaper of the University of Chicago.

She should win

[Anonymous Coward]

Institutions are so wet for google they break all kinds of rules and chalk it up that google are good guys because don't be evil. Its a crock of shit really. At least medical records are protected by law, unlike private messages somehow?

Re:

[stephanruby]

I seriously every patient and student sues individually and gets big bucks.

I hope not.

If we want AI to identify patterns and make predictions based on medical information, I do hope that we can make an exception for using anonymized data for research purposes.

Re:

[DrLudicrous]

It wasn't anonymized. Worse than that, it states so in the manuscript, referring to procedure dates. It would not be impossible to figure out who individual patients are based on that information, therefore it is not properly scrubbed.

Re:

[Anonymous Coward]

It would not be impossible to figure out who individual patients are based on that information

You are right about that, but it goes much further than you took it.

With the amount of data Google has at its beck and call about most of the population, it is damn near impossible to scrub enough identifying data from a medical record to prevent Google from re-identifying it.

A large set of weak associations are enough. No one thing has to be a smoking gun, but if google can find 100 data points that have weak correlations, the net effect can be a very high confidence guess.

It's the same idea as the infamo

Re:

[guruevi]

The question is not whether Google can, but a third party could do the same thing when Google releases the information. Google most likely has a BAA with any medical institution, they can freely share any record for whatever purpose. Google just has to "reasonably" safeguard it from prying eyes, which isn't that hard to do.

Re:

[guruevi]

There are methods of scrambling dates to make them anonymized yet still relevant. You could for example, randomly shift the dates and hours for the entire patient record which would be compliant with HIPAA.

The University could also simply have a BAA with Google, that would also permit them to share the entire record without patient consent. HIPAA simply assures a paper trail has been established and the lawyers are very well fed whenever data sharing occurs; most Universities also have a very wide research

Re:

[ceoyoyo]

The ends justify the means is a lame excuse. There are other ways to do this that don't involve breaking research ethics and informed consent rules that were put in place after the Nazis.

Most patients are usually very happy to consent to research *if they're asked*. The current shit show is because everyone wants to cash in on "AI" and doesn't want to waste time asking.

Re:

[account_deleted]

Comment removed based on user account deletion

Google: Anything to make a fast buck!

[WCMI92]

Your information for sale. Glad that Google had no idea I had strokes.

Re:

[Aighearach]

Your information for sale. Glad that Google had no idea I had strokes.

"had."

They know now!

Google CEO must go to jail forever

[Anonymous Coward]

It's time to start giving CEOs life sentences in jail, this will stop the illegal behavior.

Re:

[The New Guy 2.0]

I'm not so sure this is management's fault... seems like Google's whole employee culture takes must-gather-info disorder seriously.

Re:

[Anonymous Coward]

I'm not so sure this is management's fault... seems like Google's whole employee culture takes must-gather-info disorder seriously.

It's always management's fault. There are no exceptions.

Re:

[Anonymous Coward]

Management gets paid the big bucks supposedly for their disproportionate impact on the corporation. They should get the "big blame" as well.

Re: Google CEO must go to jail forever

[astrofurter]

That disposition towards data rape is called "Googliness".

Here we go again...

[The New Guy 2.0]

Anybody remember Google Health... it was nothing but a health survey that was eventually only used as a dis-qualifier in employment decisions.

Not ethical, not anonymized

[DrLudicrous]

From the lawsuit: "The records the University provided Google included detailed datestamps and copious free-text notes." This is very, very bad. Google can clearly figure out who is who based on this information, coupled with other info in the EHRs. Completely violates good clinical practice in the US and the EU. Definitely violates the GDPR. Violates all ethical norms of patient consent, dating back to the Belmont Report. Seriously, they should be sued, and they should lose, and they should pay dearly. There is no way anyone high-up involved with this work was not aware of the ethical and legal concerns. Unacceptable.

Re:

[guruevi]

One question: Did they have a BAA. If they did, they can share the information with Google.

Re:

[JeffOwl]

Sure, in theory. But then it is up to Google to comply with privacy laws. I think Google is likely incapable of complying with such laws even if they wanted to. As it goes with many lawsuits of this type, you have to sue everyone involved, even if you suspect only one party is to blame, so you can gather the information needed.

Re:

[alexo]

Seriously, they should be sued, and they should lose, and they should pay dearly. There is no way anyone high-up involved with this work was not aware of the ethical and legal concerns.

The "higher-ups" are wealthy and powerful, not to mention being shielded by a big, wealthy and powerful corporation; and big, wealthy and powerful corporations/people do not "pay dearly" (unless they happen to step on the toes of someone even bigger, wealthier and more powerful).

If they get sued and lose (and that's a big if) I expect a penalty amounting to less than one day worth of profits.

Re: Not ethical, not anonymized

[mveloso]

With consent, you can do anything with medical data. What google shared does not need to be stripped of PHI. Everyone signs the HIPAA form, so they only can sue if they didn't sign the HIPAA form, which like nobody does.

Re: Not ethical, not anonymized

[astrofurter]

That's because our kangaroo courts are systemically corrupt from the top down. If something is a right, one cannot waive it be signing some leonine contract.

Rights are inalienable. If you can sign it away, it's not really a right.

A realy problem, maybe....

[Teun]

I know the USofA doesn't have much legislation re. privacy but this sounds extremely bad.
Yet it is quite well possible the data was anonymised before Google was allowed to access it.
At least I would imagine the University of Chicago had the brainpower to do so.

Yes there is more money available at Google but as these patients I would have gone after the UoC.

predict future medical issues = a nice blacklist

[Joe_Dragon]

predict future medical issues = a nice blacklist to be used under the gop healthcare plan

Pretty sure

[cdsparrow]

As long as they signed and followed the guidelines of a HIPAA business associate agreement then it's legal. Probably gonna have problems with this lawsuit. This is no different then sending records to have a lab check over stuff. Patients don't have to explicitly give that permission.

Re:

[cdsparrow]

If patients had to explicitly give permission to all the third parties who may come in contact with the data, nothing could ever be accomplished. The patient gives consent to their data being handled in accordance with HIPAA best practices. Does a patient need to explicitly give permission to the IT people working on the computers? To the 3rd party doing insurance charges? To the 3rd party handling reservations? Nope, these are all carried under the blanket of the original entity the patient is engaged

Re:

[swillden]

What about a log a patient can access to see WHO accessed his data and when they did it?

Interesting idea, but to make it really useful you'd have to log information about what data was examined. It would be hard to distinguish between access to different sorts of test results, for example, without specifying what the tests were, which would give away a tremendous amount of information to anyone who could see the log.

This is always the challenge with transparency logs... you have to be very careful about controlling access to the log. Any slipups could reveal just about as much information

Re: Pretty sure

[astrofurter]

"in order to sell your profile to the gestapo."

FTFY

Re: Pretty sure

[MobyDisk]

A BAA merely means that the 3rd party accepts legal responsibility for data breaches and proper storage of the data. It does not mean that the patient consented to provide the data. A patient consenting to share data with a lab is not the same as comsenting to sharing the data for research usage.

[ascopost.com]

Specifically, de-identified data collected for non-research purposes does not require consent other than that obtained before data collection. However, data collected for research, with or without identifiers, requires consent.

Need Refusal to Share form for patients

[Anonymous Coward]

Regardless, I don't want any tech company or subsidiary of any tech company viewing, touching, thinking about, my fucking records. I don't want my records digitized. DO NOT COPY.

I'm fine if my paper medical files are physically shared with any medical professionals during the coarse of my care or after I'm dead. That sharing should be when I'm explicitly cared for, inside a medial treatment center, not outside the immediate area. I don't want that data shared anywhere else without my explicit, written,

Medical Records

[tquasar]

Every breath you take, every move you make, I'll be watching you. The Police, 1983. I don't trust my doctor. I believe he talks to friends and other doctors at a party or social event and compares stories about patients. Privacy doesn't exist.

Any medical related Emails have already been saved

[Grand Facade]

https://tech.slashdot.org/stor... [slashdot.org]

Was the data anonymized?

[rossz]

I actually want computer analysis of medical data to help find patterns and potential cures. But I also want the data anonymized properly to protect everyone's privacy. Given big tech's history with privacy, however, I am not feeling very secure.

Create something? Google???

[astrofurter]

"Google's goal of creating a digital health record system"

Big Brother Google can't create an EHR. The GOOG hasn't *created* anything since Gmail, 15 years ago. The smart people have long since moved on. All GOOG still knows how to do is us the megaprofits from it's monopoly power to buy up competitors.

Don't be fooled! When Big Brother Google wants your medical records, it has jack shit to do with building an EHR system. GOOG just wants a more complete profile of your private life. So they can sell it to the gestapo, and to any other group of rich miscreants who might want it.

Re:

[DrLudicrous]

Data anonymization absolutely includes scrubbing dates of service. I work with this type of data, what do you do?