Google Secretly Gathers Medical Records As Health Websites Share Data With Advertisers

Everyone predicted that the ostensible privacy of health records would eventually be breached. What may have been unexpected was that it would happen so soon, in secret.

What was no surprise is that the biggest tech companies are the primary violators of this sensitive data for their own commercial purposes. JL

Mary Beth Griggs reports in The Verge and Nick Wood reports in Telecom TV:

Google secretly gathered millions of patient records across 21 states on behalf of a health care provider. Neither the provider’s doctors nor patients were made aware of the effort. (At the same time) Health websites have passed on sensitive user data to online ad giants, including Google, Amazon, Facebook and Microsoft. 79 of 100 health Websites – including popular destinations like WebMD, Babycentre and Bupa – placed cookies on visitors' devices without their consent, enabling third parties to keep tabs on them.

The Verge Google secretly gathered millions of patient records across 21 states on behalf of a health care provider, in an effort dubbed “Project Nightingale,” reports The Wall Street Journal. Neither the provider’s doctors nor patients were made aware of the effort, according to the report.

The Wall Street Journal’s Rob Copeland wrote that the data amassed in the program includes “lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, complete with patient names and dates of birth,” and that as many as 150 Google employees may have had access to the data.

The New York Times corroborated much of the report later in the day, writing that “dozens of Google employees” may have access to sensitive patient data, and that there are concerns that some Google employees may have downloaded some of that data.

But Google tells The Verge that despite the surprise, it’s standard industry practice for a health care provider to share highly sensitive health records with tech workers under an agreement like the kind it signed — one that narrowly allows Google to build tools for that health care provider by using the private medical data of its patients, and one that doesn’t require patients to be notified, the company claims.

A spokesperson challenged the idea that Google has been secretly gathering the health records of millions of Americans, saying the only purpose of such an agreement is to provide services back to the health care provider, and that it didn’t announce it was doing so earlier because work was in the very early stages.

Google has confirmed that it partnered with health heavyweight Ascension, a Catholic health care system based in St. Louis that operates across 21 states and the District of Columbia. The company calls itself “a faith-based healthcare organization dedicated to transformation through innovation across the continuum of care.” According to the WSJ, Google is using data from the system to design software that tailors individual patient care using “advanced artificial intelligence and machine learning.”

the data amassed in the program includes “lab results, doctor diagnoses and hospitalization records” according to the WSJ

Forbes reports that as a part of Project Nightingale, Ascension uploaded patient data to Google’s Cloud servers. The idea was that by using the system, Ascension health providers could use a tool called Patient Search to pull up individual patient pages. According to Forbes, which says it viewed a presentation on the topic, “The page includes complete patient information as well as notes about patient medical issues, test results and medications, including information from scanned documents.”

Google has been focused on health care for a while now, and their focus on the industry has only increased in recent years. Lately, it’s been competing with similar efforts at Amazon and Apple, which are also trying to move into the lucrative health care space. Last year, Google hired a health care executive to oversee its many health initiatives. Around the same time, they announced plans to absorb AI lab DeepMind’s health care division, with the goal of creating an “AI assistant for nurses and doctors.”

The tech company has also been accused of inappropriate access to hundreds of thousands of health care records through the University of Chicago Medical Center. Google had partnered with the University of Chicago Medical Center in 2017 to develop machine learning tools capable of “accurately predicting medical events — such as whether patients will be hospitalized, how long they will stay, and whether their health is deteriorating despite treatment for conditions such as urinary tract infections, pneumonia, or heart failure,” the company said in a blog post. The post also mentions that one of the company’s machine learning ambitions is to “anticipate the needs of the patients before they arise.”

A press release issued by Ascension today, after the WSJ article was published, announced their partnership with Google and said that the goal of the partnership was to “optimize the health and wellness of individuals and communities, and deliver a comprehensive portfolio of digital capabilities.” It also said that “All work related to Ascension’s engagement with Google is HIPAA compliant and underpinned by a robust data security and

protection effort and adherence to Ascension’s strict requirements for data handling.”

Google also published a blog post later in the day confirming that “Nightingale” is the name of its health project. “To be clear: under this arrangement, Ascension’s data cannot be used for any other purpose than for providing these services we’re offering under the agreement, and patient data cannot and will not be combined with any Google consumer data,” writes Google Cloud president Tariq Shaukat. 

Telecom TV Health Websites have become the latest inductees into our informal Hall of Shame, after several big names were reportedly found to have passed on sensitive user data to online ad giants, including Google, Amazon, Facebook and Microsoft.
The Financial Times reports that 79 of the 100 health Websites it investigated – including popular destinations like WebMD, Babycentre and Bupa – placed cookies on visitors' devices without their consent, enabling third parties to keep tabs on them when they visited other Wesbites. Consent is a legal requirement in the UK.

Malignant

A deeper dive into 10 of those health Websites found that even when consent was granted, the sites' privacy policies were unclear about what data would be shared with third parties and how that data would be used.
This is troubling, because the FT subsequently found, for example, that drug names entered into Drugs.com were shared with Google-owned DoubleClick. It gets worse: symptoms entered into WebMD's symptom checker, plus the resulting diagnoses, and terms including 'drug overdose' were shared with Facebook. In eight cases, unique identifiers that could tally information with a specific individual were shared with third parties.
Under GDPR, it is against the law to share information about someone's health and sexual orientation without first obtaining their explicit consent, and without explaining exactly who it is shared with and what they will use that data for.
None of the Websites checked out by the FT requested this type of explicit consent.

Natural defences

Unsurprisingly, big online advertisers have been quick to defend themselves, although some did a better job than others.
Facebook and Amazon didn't say in the report what they do with the sensitive information they receive. Facebook, which seemingly struggles to grasp the very concept of privacy, said it was conducting an investigation because sharing such sensitive information with it constitutes a violation of its rules. Amazon said it doesn't use information from publisher Websites to segment its advertising audience.
They also laid the blame for sharing user data with the Websites themselves.
The award for best attempt at being beyond reproach goes to Google, which said in the report that it doesn't use medical information to profile users, and has policies that prevent advertisers from using sensitive data to target ads. It also flags health Websites as "sensitive", so user information received from them is not used for personalised ads.

Florence and the machine

It's not like Google holds no interest in people's medical ailments, of course.
As the Wall Street Journal reported earlier this week, Google's Project Nightingale is going straight to the source.
The Internet giant has partnered with US healthcare provider Ascension, enabling it to gather information including but not limited to lab results, diagnoses, hospitalisation records, patient names and dates of birth for millions of people across 21 states, without their knowledge or the knowledge of their doctors.
Google says the data gathering will be used by its AI and machine learning technology to suggest treatments and changes in care for individual patients in a bid to improve outcomes.
According to the WSJ, Project Nightingale falls within the scope of Federal Law; nonetheless, plenty of people will feel uncomfortable with a company like Google having access to the most intimate details of their lives.
It's almost as if Silicon Valley giants hold the general public in contempt, and have little to fear when they get caught doing anything that can be considered ethically questionable.
It's almost as if these companies have perhaps gotten a little too big. If only there was something that could be done about it.