Privacy Lawsuit Against UChicago and Google Dismissed by Federal Judge

A potential class action lawsuit filed against the University of Chicago, UChicago Medicine, and Google over an alleged privacy and HIPAA breach has been dismissed by a Federal judge.

The lawsuit was filed in June 2019 in response to an alleged violation of HIPAA Rules related to a data sharing partnership between the University of Chicago Medicine and Google.

In 2017, the University of Chicago Medicine sent the de-identified data of patients to Google as part of an initiative to use medical records to improve predictive analysis of hospitalizations, and by doing so, improve the quality of patient care. The aim of the partnership was to use machine learning techniques to identify when a patient’s health is declining, to allow timely interventions to prevent hospitalization.

The University of Chicago Medicine sent hundreds of thousands of patient records dating from 2009 to 2016 to Google. The data shared with Google was deidentified but contained physicians’ notes and time stamps of dates of service.

The lawsuit was filed by Edelson PC on behalf of lead plaintiff, Matt Dinerstein, a patient of UC Medical Center who had hospital stays on two occasions in 2015.

The lawsuit alleged Mr. Dinerstein’s confidential protected health information was shared with Google without properly de-identifying the data, as free-text notes from doctors and nurses were included in the data along with associated time stamps.  That information had come to light following a 2018 research study which confirmed notes and time stamps were included in the data.

The lawsuit alleged the inclusion of that information meant the data shared with Google was not sufficiently de-identified. Since Google already had a substantial store of information, it is possible that patients could be re-identified, which created a privacy risk for all patients whose information was shared with Google.

The lawsuit also alleged the medical records had value to Mr. Dinerstein and had been stolen, although no claim was made that Google had tried to re-identify patients. The lawsuit also claimed Mr. Dinerstein was owed a reasonable royalty for the use of his protected health information.

UC Medical Center and Google filed motions to dismiss the lawsuit on August 3, 2019 claiming all data sent to Google under the partnership had been transmitted via secure channels in a manner compliant with the HIPAA Rules. The motions also stated neither HIPAA nor the Illinois Medical Patient Rights Act include a private right of action.

On September 4, 2020, Federal Judge Rebecca Pallmeyer of the United States District Court Northern District of Illinois Eastern Division, rejected Mr. Dinerstein’s claims and dismissed the lawsuit.

“Even if Mr. Dinerstein has a property interest in medical information, his allegations do not support an interference that the value of that property has been diminished by the University’s or Google’s actions,” said Judge Pallmeyer, also saying royalties are only appropriate for interference with a property right, and the plaintiff had failed to establish he had such rights to his PHI. Judge Pallmeyer also said in the ruling that Mr. Dinerstein had failed to adequately demonstrate the alleged privacy breach had caused him economic damage. The plaintiff has the right to file an amended complaint before October 15, 2020.

The ruling will certainly be good news for Google, which is also facing scrutiny of its partnership with Ascension over potential HIPAA violations related to the millions of records Ascension provided to Google in 2019 under “Project Nightingale”.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.