Google collected personal and health information belonging to tens of millions of patients across 21 states in the United States by secretly collaborating with a chain of hospitals and clinics through a new initiative called Project Nightingale.
News about the secretive Project Nightingale launched by Google last year was published by the Wall Street Journal on Monday. The publication revealed that the technology giant collaborated with Ascension, a "Catholic chain of 2,600 hospitals, doctors’ offices and other facilities".
Thanks to the new project, data collected by Ascension-owned hospitals, clinics and other facilities from patients, including their personal and health information, were passed on to Google for treatment and administrative purposes.
Information collected by such healthcare facilities and passed on to Google included results of lab tests, doctor diagnoses, hospitalisation records, radiology scans, details of medications, and patients' medical conditions. It also included detailed personal information such as names, dates of birth, addresses, family members, list of allergies, and immunisations of patients.
The Wall Street Journal reported that none of the patients were notified about the transfer of their personal and health information to Google and that some Ascension employees "raised questions about the way the data is being collected and shared, both from a technological and ethical perspective".
However, the Health Insurance Portability and Accountability Act of 1996 allows hospitals in the United States to share patients' data with partners and third parties without taking prior consent as long as such data is being used only to help the covered entity carry out its health care functions. Hence, the transfer of patient data from Ascension facilities to Google under Project Nightingale could actually be completely legal.
Google and Ascension claim Project Nightingale upholds security & privacy of patients
Following the publication of the report, Ascension announced its partnership with Google on its website, stating that the partnership involves "the programmatic integration of new care models delivered through the digital platforms, applications, and services" to better meet the needs and expectations of patients and healthcare providers.
The nonprofit healthcare organisation added that thanks to the collaboration, Ascension’s infrastructure will be migrated to the Google Cloud Platform for better data integration, privacy, security, and compliance.
The collaboration will also involve transitioning to Google’s G Suite productivity and collaboration tools that will enhance Ascension associates’ ability to communicate and collaborate securely in real-time, supporting interdisciplinary care and operations teams across Ascension sites of care.
"All work related to Ascension’s engagement with Google is HIPAA compliant and underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling," Ascension added.
While announcing Google's partnership with Ascension in a blog post published earlier today, Tariq Shaukat, President, Industry Products and Solutions for Google Cloud, said that his company is helping the healthcare organisation shift its infrastructure to its own private and secure Google Cloud environment, use G Suite productivity tools to enhance employees’ ability to communicate and collaborate securely in real time, and provide Ascension with tools that the organisation can use to support improvements in clinical quality and patient safety.
"All of Google’s work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and come with strict guidance on data privacy, security and usage. We have a Business Associate Agreement (BAA) with Ascension, which governs access to Protected Health Information (PHI) for the purpose of helping providers support patient care.
"This is standard practice in healthcare, as patient data is frequently managed in electronic systems that nurses and doctors widely use to deliver patient care. To be clear: under this arrangement, Ascension’s data cannot be used for any other purpose than for providing these services we’re offering under the agreement, and patient data cannot and will not be combined with any Google consumer data," Mr Shaukat said.
"Some of the solutions we are working on with Ascension are not yet in active clinical deployment, but rather are in early testing. This is one of the reasons we used a code name for the work—in this case, “Nightingale"," he added.
Google collected medical records of 1.6m UK patients from Royal Free NHS Foundation Trust
Google had carried out a similar large-scale collection of patient data from the Royal Free NHS Foundation Trust as part of its Google DeepMind project to 'develop and deploy a new clinical detection, diagnosis and prevention application and the associated technology platform' for the Trust.
As per their agreement, the Trust had provided partial patient records of over 1.6 million patients to Google and these records included personally identifiable information, and also contained data obtained from the trust's electronic patient record system.
Even though the trust told the Information Commissioner's Office that DeepMind used the 1.6 million patient records only for clinical safety tests and for no other purpose, the latter held that the trust failed to adequately inform patients that their data would be used by DeepMind for conducting clinical safety tests.
“Our investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening," said Information Commissioner Elizabeth Denham.
Last year, Facebook was forced by regulators to shelve a research programme that involved the company obtaining detailed medical records of patients from several leading U.S. hospitals and matching such data with patients' Facebook profiles. According to Facebook, the research programme was aimed at helping medical professionals develop "specific treatment and intervention plans that take social connection into account".
News about the questionable research programme was first revealed by CNBC who noted that while Facebook told the hospitals that personally identifiable information in the patient data obtained from them would be obscured, the company wanted to use a 'hashing' technique to match a patient's medical and social profiles which could then be used by medical professionals to develop specific treatment and intervention plans.