A former UChicago Medicine patient filed a lawsuit claiming that his medical information along with those of hundred other patients were shared with Google with no prior authorization.
The lawsuit accuses UChicago Medical Center, UChicago Medicine, and Google. The suit alleges that patient data was disclosed to Google when included in a study geared towards advancing the usage of artificial intelligence. However, there was no patient authorization obtained beforehand and data were not appropriately de-identified.
In 2017, UChicago Medicine began sending patient information to Google to be included in a project looking at how to use historical health record information to forecast future medical events. Patient information were inputted in a machine learning system that tried to generate health predictions concerning patients.
The HIPAA Privacy Rule does not forbid this sort of disclosure. However, patient consent must be obtained first or protected health information (PHI) must be de-identified first before patient health data could be disclosed.
Matt Dinerstein, a former UChicago Medicine patient, filed the lawsuit. Dinerstein was admitted to UChicago Medicine twice in June 2015. In the lawsuit, he alleges that substantial amounts of patient information were furnished to Google with no patient authorization nor de-identification of patient data. At present, the lawsuit named Dinerstein as the only plaintiff, however, the suit is going to become a class action if other patients would come forward.
A UChicago Medicine spokesperson claims that the lawsuit is “without merit” and that the medical center did not share any information with a third-party, hence there is no violation of HIPAA or other patient privacy regulations.
Although a number of hospitals took part in the study and provided patient information to Google, UChicago data was different because it included time stamps and details about the patients’ admission to and discharge from the hospital.
In a research paper about scalable and accurate deep learning of electronic medical records in 2018, Google confirmed that UChicago Medicine provided de-identified medical record data, but the data set included the dates of service.
Considering that Google already retains huge quantities of information on individuals, it is possible that UChicago Medicine data could be tied in with other data and re-identify patients.
The lawsuit states that Google obtained DeepMind in 2014, which is a company that possess machine learning technologies that could be used to match medical records to personal data in Google User accounts. But the law company does not have any evidence showing the misuse of any patient data by Google.
Jay Edelson, the founder of Edelson PC, said that this healthcare data breach is very significant in today’s history. Moreover, it is the most egregious considering that allegedly data was voluntarily disclosed. Edelson PC is a law organization specializing in class action lawsuits filed against tech firms.