Whistleblower: 50m patients not told of secret data transfer to Google

13 Nov 2019

Image: © Andrei/Stock.adobe.com

A whistleblower has claimed that the transfer of patient data on 50m people to Google from a major US healthcare provider is being kept secret.

The Wall Street Journal recently reported on the existence of Project Nightingale, a secret initiative between Google and Ascension, the second-largest healthcare provider in the US. Under the project, patient data – including full names and medical histories – would be transferred over to Google as part of the company’s efforts to boost its presence in healthcare.

However, a whistleblower who works on the project has come forward to The Guardian, claiming that more than 50m patients whose data will be transferred to Google haven’t been informed.

In a video released to the site Daily Motion, the whistleblower said that Google staff could access patient information just by searching for a person’s name in a custom-built search engine. This would suggest that private data has not been anonymised, unlike other efforts to combine vast catalogues of data for healthcare research.

In the video, the whistleblower said that all of the patient records will be uploaded to the cloud for Google access by February or March of next year “before answering [Ascension’s] security concerns and before putting necessary protocols in place”, adding that the company is “rushing to do this”.

The whistleblower claims to be one of about 300 people working on Project Nightingale, almost evenly split in numbers of Google and Ascension staff. Documents from a private Ascension meeting within the video show a number of concerns raised by the healthcare giant about Google’s plans to use this data for new AI and other research tools.

‘This is a totally new way of doing things’

One note stated that an employee “expressed concerns of individuals downloading patient data – need to make sure everyone is trained to not be able to do that”. The notes went on to raise fears that what Google is doing might be in breach of US laws, specifically the Health Insurance Portability and Accountability Act (HIPAA).

Speaking with The Guardian, the whistleblower – who has not been identified – said they released the documents because of growing concern among Project Nightingale staff and the strict secrecy surrounding the transfer of patient data.

“Most Americans would feel uncomfortable if they knew their data was being haphazardly transferred to Google without proper safeguards and security in place,” they said.

“This is a totally new way of doing things. Do you want your most personal information transferred to Google? I think a lot of people would say no.”

Following the details going public, both Google and Ascension have released statements to the Wall Street Journal. Google Cloud said the project’s aim was “ultimately improving outcomes, reducing costs, and saving lives”.

Ascension said: “All work related to Ascension’s engagement with Google is HIPAA-compliant and underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling.”

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com