Google, University of Chicago named in patient data privacy suit

The University of Chicago and Google are named in a suit contending that they failed to protect the privacy and security of patient data because it was not fully de-identified.

The healthcare organization and the data analytics giant are working together, with Google using patient information in the electronic health records system of the University of Chicago Medical Center to do research on using information within the records to help physicians identify medical conditions.

At issue is whether the data is sufficiently scrubbed clean of patient-identifiable information, in particular the fact that it still contains date stamps and free-form physicians’ notes.

Plaintiff Matt Dinerstein, who was a patient in the hospital, charges in the lawsuit that this unprotected patient data is the most sensitive and intimate information in an individual’s life and its unauthorized disclosure to Google is damaging to a person’s privacy.

“Beginning in 2017, Google set in motion a plan to make its most significant play in the healthcare space,” the suit contends. “This plan had two key components—to obtain the electronic health record of nearly every patient from the University of Chicago Medical Center from 2009 to 2016, and to file a patent for its own proprietary and commercial EHR system that would not be published until well after it had obtained hundreds of thousands of EHRs from the University.”

University of ChicagoMD-CROP.jpg

In the suit, Dinerstein notes the sensitivity of patient data in EHRs. “The disclosure of EHRs is even more egregious because the University promised in its patient admission forms that it would not disclose patients’ records to third parties, like Google, for commercial purposes. Nevertheless, the University did not notify its patients, let alone obtain their express consent, before turning over their confidential medical records to Google for its own commercial gain.”

Also See: Why patient communications has become a privacy conundrum

The lawsuit further charges that the defendents claimed medical records were de-identified, but that claim is misleading. “The records the University provided Google included detailed date stamps and copious free-text notes. Google, as one of the most prolific data mining companies, is uniquely able to determine the identity of almost every medical record the University released.”

Dinerstein seeks all appropriate damages and injunctive relief to address, remedy and prevent further harm to himself and the rest of the plaintiff class.

Google has issued a statement on the lawsuit.

“We believe our healthcare research could help save lives in the future, which is why we take privacy seriously and follow all relevant rules and regulations in our handling of health data. In particular, we take compliance with HIPAA seriously, including in the receipt and use of the limited data set provided by the University of Chicago.”

Comment from the University of Chicago was not available.

The complete lawsuit is available here.

For reprint and licensing requests for this article, click here.