Share this article on:
A lawsuit has been filed by a former patient of UChicago Medicine who claims his medical records – and those of hundreds of thousands of other patients – have been shared with Google without authorization.
UChicago Medicine, UChicago Medical Center, and Google have been named in the lawsuit. The suit claims patient information was shared with Google as part of study aimed to advance the use of artificial intelligence, but patient authorization was not obtained in advance and data were not properly deidentified.
In 2017, UChicago Medicine started sending patient data to Google as part of a project to look at how historical health record data could be used to predict future medical events. Patient data were fed into a machine learning system which attempted to make health predictions about patients.
The HIPAA Privacy Rule does not prohibit such disclosures, but prior to patient health information being disclosed, patients must either give their consent or protected health information must first be de-identified – Stripped of the 18 identifiers that allow protected health information to be tied to a particular patient.
The lawsuit was filed by a former patient of UChicago Medicine, Matt Dinerstein, who had been admitted to UChicago Medicine on two occasions in June 2015.
In the lawsuit, Dinerstein claims that huge quantities of patient data were provided to Google without authorization from patients and that patient information was not correctly deidentified. Currently, Dinerstein is the only plaintiff named in the lawsuit, but the suit will be expanded to a class action should other patients come forward.
According to a spokesperson for UChicago Medicine, the claims in the lawsuit are “without merit” and no information was shared with any third-party in violation of HIPAA or other regulations protecting patient privacy.
While several hospitals participated in the study and supplied patient data to Google, UChicago data differed as it contained time stamps and information about when patients were admitted and discharged from hospital.
Google confirmed in a 2018 research paper on scalable and accurate deep learning for electronic health records that medical record data had been obtained from UChicago Medicine and that all data were deidentified, but dates of service were included in the data set.
Since Google already holds vast quantities of data on individuals, it could potentially tie the UChicago Medicine data to other information to re-identify patients.
The lawsuit claims that since Google acquired DeepMind in 2014, the company has the machine learning technologies to be able to tie medical records to personal information in Google User accounts, although no evidence has been obtained by the law firm to suggest Google has misused any patient data.
“We believe that not only is this the most significant health care data breach case in our nation’s history, but it is the most egregious given our allegations that the data was voluntarily handed over,” said Jay Edelson, founder of Edelson PC, a law firm that specializes in class action lawsuits against tech companies.