Google in deal to transfer full medical records from US healthcare company, claims whistleblower
Google denies whistleblower claims that it plans to "mine patient information" and "sell or share data with third parties"
Google has been accused of striking a secret deal this week with a US healthcare provider to transfer the full medical records of as many as 50 million Americans.
The deal, according to a whistleblower who claimed to be involved in the project, will include the transfer of medical records "without patient knowledge or approval", and could potentially compromise patient confidentiality.
To back-up the claims, the whistleblower uploaded a video containing a series of PowerPoint slides and other files related to ‘Project Nightingale', to the Daily Motion video-sharing website.
The deal between the two companies carried the seal of approval of executives at the highest level of both Google and Ascension, the healthcare organisation providing the patient records to the internet giant. The deal was signed on Monday.
Pillar four is where Google uses Ascension data to mine patient information, run analytics, run AI algorithms, [and] sell or share data with third parties
"Google is secretly transporting data to its own servers without patient knowledge or consent," claimed the whistleblower.
The deal involves four stages or ‘pillars', the first two of which involves transferring patient data to the Google Cloud. "Pillar three is Google using Ascension data to build its own framework in the cloud.
"Pillar four is where Google uses Ascension data to mine patient information, run analytics, run AI algorithms, sell or share data with third parties, create profiles of patients that they can later advertise-to online, with healthcare ads targeted to their specific healthcare issues," the whistleblower claimed.
Part of the rationale for the deal, according to the whistleblower, is that patient records hosted in the cloud will be more easily available across Ascension's 2,600 sites.
All of this personally identifiable information and patient health information can be accessed by Google employees
The whistleblower also claimed that the records would not be fully secure and that the system is non-compliant with the US HIPAA patient privacy regulations. Google has denied that the data transfer won't be HIPAA compliant.
"All of this personally identifiable information and patient health information can be accessed by Google employees… How does Google profit? In the short and long term they can mine data and sell findings. They could sell to advertisers or third parties," suggested the whistleblower.
The whistleblower added that, while previous Google Cloud migrations with healthcare providers had kept encryption/decryption solely in the hands of the healthcare providers, the Ascension deal is different.
In an interview with The Guardian today, the whistleblower claimed that the data was being "haphazardly transferred to Google without proper safeguards and security in place", adding that Google was amassing "sensitive and potentially valuable data" as a result of its targeting of the healthcare sector.
However, Google quickly moved to quash suggestions that patient data and confidentiality are under threat. It claimed that the deal is just the latest in a series of initiatives by healthcare providers to put patient records systems 'in the cloud'.
"All of Google's work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and come with strict guidance on data privacy, security and usage," wrote president of Google Cloud's industry products and solutions, Tariq Shaukat, in a blog post.
"Under this arrangement, Ascension's data cannot be used for any other purpose than for providing these services we're offering under the agreement, and patient data cannot and will not be combined with any Google consumer data."
In its own statement, healthcare provider Ascension admitted that it planned to use artificial intelligence and machine learning applications on patient records, but to help improve clinical effectiveness and patient safety.
Google also has deals in the UK involving patient data, which have come under critical scrutiny.
These include a deal with Taunton and Somerset NHS Foundation Trust, but its deal with Royal Free London NHS Foundation Trust was slammed for being "secretive", and lacking in transparency and accountability.