Whistleblower reveals secret Google-Ascension healthcare data deal

November 12, 2019
by Thomas Dworetzky, Contributing Reporter
Project Nightingale, a “secret scheme” to transfer 50 million American health records from healthcare provider Ascension to Google has been revealed by the Wall Street Journal.

The data move included names and medical histories of the patients that could be accessed by Google staffers, according to a follow-up story by The Guardian.

The whistleblower also posted a video detailing the project on social media platform Daily Motion that begins with the words, “I must speak out about the things that are going on behind the scenes.”

The Google trove of Ascension data, stressed the reports, is not anonymized by removing personal data through standard de-identification techniques.

The whistleblower shared a presentation of the project that showed it was made of four “pillars” or stages that would lead to a completed transfer of the records of people in 21 states by March 2020.

No patients had been alerted to the transfer. One Ascension worker, reported The Guardian, expressed concerns of individuals downloading patient data — "need to make sure everyone is trained to not be able to do that," the worker wrote in a meeting note concerning the project.

The search giant has cut deals with other healthcare providers beyond Ascension, which has 2,600 hospitals, clinics and other medical outlets. These include smaller organizations like the Colorado Center for Personalized Medicine – although that data was encrypted by the healthcare provider.

The Guardian also reported that the whistleblower — whose identity the paper does not know — expressed concerns, allegedly stating that, “most Americans would feel uncomfortable if they knew their data was being haphazardly transferred to Google without proper safeguards and security in place. This is a totally new way of doing things. Do you want your most personal information transferred to Google? I think a lot of people would say no,” and adding that, “this is the last frontier of extremely sensitive data that needs to be protected.”

Google's healthcare data efforts have raised alarms before. In 2017, 1.6 million records of patients at the Royal Free hospital in London were obtained by its DeepMind Health efforts in a way that was determined to be on an “inappropriate legal basis” by a U.K. watchdog group.

And in July, the University of Chicago Medical Center and Google looked like they would head to court in response to a class action lawsuit filed by Edelson P.C. on behalf of plaintiff Matt Dinerstein that accuses the hospitals of sharing patient health records with the internet giant, which allegedly used information such as date stamps and free-text notes, to create its own EHR management system.

The University of Chicago Medical Center denied these allegations, however, telling HCB News that “the claims in this lawsuit are without merit,” and the all privacy laws and regulations had been followed.

Statements by Google and Ascension after the Nightingale news broke likewise claimed that no HIPAA nor other federal health regulations were broken and that data had been protected, with Google Cloud stating on its blog that the goal of the effort was “ultimately improving outcomes, reducing costs, and saving lives.”

Ascension added in its own statement that, “all work related to Ascension’s engagement with Google is HIPAA compliant and underpinned by a robust data security and protection effort, and adherence to Ascension’s strict requirements for data handling.”

“As the healthcare environment continues to rapidly evolve, we must transform to better meet the needs and expectations of those we serve, as well as our own caregivers and healthcare providers. Doing that will require the programmatic integration of new care models delivered through the digital platforms, applications and services that are part of the everyday experience of those we serve,” said Eduardo Conrado, executive vice president, strategy and innovations, of Ascension.

But some considered the explanations inadequate. "Blatant disregard for privacy, public well-being, and basic norms is now core to Google's business model," tweeted Connecticut Democrat Sen. Richard Blumenthal, calling the move “beyond shameful."