First reported by the Wall Street Journal, Google’s “Project Nightingale” program gathered data that included “lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, complete with patient names and dates of birth.”
The publication adds that as many as 150 Google employees may have had access to the data and that some could have downloaded it.
Google attained the information through last year’s partnership with Ascension, the country’s second-largest healthcare system. The Catholic, non-profit has more than 34,000 providers across 21 states and the District of Columbia.
Google is using the data to create software that utilizes artificial intelligence and machine learning that can make care suggestions for patients. Forbes writes that as part of the project, Ascension moved patient records to Google’s cloud servers, and a search product allowed healthcare providers to see an “overview page” about their patients.
While Google’s actions certainly appear shady, the federal Health Insurance Portability and Accountability Act of 1996 (HIPPA) "generally allows hospitals to share data with business partners without telling patients, as long as the information is used 'only to help the covered entity carry out its health care functions.'"
In a statement, Ascension wrote: “All work related to Ascension’s engagement with Google is HIPAA compliant and underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling.”
In Google’s related post, Cloud president Tariq Shaukat explained: “To be clear: under this arrangement, Ascension’s data cannot be used for any other purpose than for providing these services we’re offering under the agreement, and patient data cannot and will not be combined with any Google consumer data.”
Google recently acquired health wearables company Fitbit for $2.1 billion, which led to concerns among some users about how it would use their data. Project Nightingale might be legal, but that’s unlikely to alleviate privacy advocates' fears.