Greatest Medical Record Heist in History
A whistleblower lawsuit alleges the University of Chicago Medicine shared hundreds of thousands of medical records with Google that retained identifiable information. Chicago-based law firm Edelson PC filed on behalf of a former patient and claiming this is a direct violation of HIPAA given the data-mining tech giant has access to a plethora of public and nonpublic information that could easily lead to the re-identification of the patient records it received. Edelson’s goal is expansion into a class-action lawsuit if other patients come forward.
Widespread utilization of electronic health records (EHR) has revolutionized modern medicine. The expansive, complex data collected in these systems are now the focus of efforts to improve the quality of healthcare. Collaboration between health systems and tech companies is becoming increasingly common as the healthcare industry strives to change the future of medicine using data analytics and machine learning to enhance clinical diagnostics and disease prediction, ultimately saving lives.
In 2017, Google teamed up in one such partnership with the University of Chicago in hopes of bolstering predictive analytics. Their aim was to develop machine-learning techniques able to predict hospitalizations and identify when a patient’s health is declining. The data shared involved patients seen at the University of Chicago from 2009 to 2016.
“Publicly, Google and the University touted the security measures used to transfer and store these records, along with the fact that they had been ‘de-identified.’ In reality, these records were not sufficiently anonymized and put the patients’ privacy at grave risk,” the lawsuit claims.
False Sense of Security
To ease fears over privacy concerns Google and the University claimed they de-identified the medical records. A claim that the prosecution states is “incredibly misleading.” A team of data-warehouse staff was in charge of stripping all patient identifiers, such as names, dates of birth, Social Security numbers, and any other unique characteristic or code, from the data before giving Google access. Unfortunately, these efforts were not good enough. The problem lies in the fact that the records provided to Google retained detailed, identifiable date-stamps and free-text provider notes in addition to patients’ medical information and demographics. Information that ultimately enables Google to identify the patients.
Although the HIPAA Privacy Rule does permit the disclosure of a limited data set for the purposes of research, the information included in the files UChicago shared makes the transfer of these medical records a direct violation of HIPAA.
“And as if all of this weren’t bad enough, the University also engaged in a cover-up to keep the breach out of the public eye so as to avoid the public backlash” states the lawsuit. It alleges the university shared health data despite their admission forms stating that it would not disclose patients’ records to third parties, such as Google, for commercial purposes. In goes on to state, “The University did not notify its patients, let alone obtain their expressed consent, before turning over their confidential medical records to Google for its own commercial gain.”
The lawsuit calls Google “one of the most prolific data mining companies,” “uniquely able to determine the identity of almost every medical record the University released.” Further stating that the way UChicago shared private medical information practically guaranteed Google’s ability to re-identify those patient files. Google has further enhanced this ability via the newest addition to its healthcare operations, DeepMind Health. This direct subsidiary is the global leader in artificial intelligence and machine learning. Google’s DeepMind has faced scrutiny over a controversial patient data-sharing collaboration with Britain’s National Health Service.
Google spent over 10 years attempting to gain a foothold in the trillion-dollar per year healthcare industry, states the lawsuit, and in 2017, it “set into motion a plan to make its most significant play in the healthcare space.” To strengthen its ability to develop healthcare technologies, the tech giant first needed to gain access to massive amounts of identifiable patient health records. Not surprisingly, shortly after obtaining volumes of medical records from UChicago, they filed a patent for their own proprietary and commercial EHR system. By acquiring what most data-miners would consider the “Holy Grail” of health information, Google strengthened its foothold in the predictive health analytics industry.
Both the University of Chicago and Google argue that they complied with all applicable laws and regulations related to patient privacy in the sharing of health data, despite the allegations their actions constitute a breach. Now it is up to the courts to decide whether Google’s aggressive efforts to break into the healthcare industry and the UChicago’s transfer of hundreds of thousands of patients’ records constitutes as deceptive, unlawful conduct.