A law firm on Wednesday filed a lawsuit accusing the University of Chicago Medical Center, the University of Chicago, and Google of sharing identifiable patient data, including check-in dates and medical diagnoses, without permission—an allegation that the university denies.
The lawsuit was filed on behalf of a single patient but may be expanded into a class action suit, according to STAT News.
Why Google sought out patient medical records
Google is at "the forefront" of efforts to train machines to help diagnose medical conditions based on the information contained in EHRs, the New York Times reports.
The company partners with hospitals and other medical facilities to access their old health records, which it then uses to train machines to recognize patterns related to diagnoses and patient outcomes. The University of Chicago Medical Center in 2017 announced it would share its records with the tech company.
Google has analyzed the EHR records of more than 216,000 patients seen at University of Chicago or the University of California, San Francisco between 2009 to 2016, according to STAT News. Those data sets included 46.9 billion data points, including patient demographics, medicines, and diagnoses.
While Google and University of Chicago said they shared only de-identified medical records, a lawsuit filed by the law firm Edelson PC on Wednesday alleged that the "records were not sufficiently anonymized."
The suit was filed on behalf of Matt Dinerstein, a patient who stayed at the University of Chicago Medical Center twice in 2015. During his stays, Dinerstein used a smartphone with Google applications but never consented to having his medical information shared with Google, according to the suit.
The lawsuit contends that Google could match the EHR information provided by the medical center—particularly patients' check-in dates—with consumer information collected through Google software, such as Google Maps and the Android operating system. In conjunction, the lawsuit alleges, these records could identify individual patients.
The lawsuit accuses the university of violating HIPAA, consumer fraud, and fraudulent business practices.
"We believe that not only is this the most significant health care data breach case in our nation's history, but it is the most egregious given our allegations that the data was voluntarily handed over," said Jay Edelson, founder of Edelson PC.
Dinerstein did not offer evidence that Google misused his information or attempted to identify patients, according to the Times.
University of Chicago Medical Center denies allegations
A spokesperson for the medical center said its partnership with Google was "appropriate and legal" and called the claims "baseless and a disservice to the Medical Center's fundamental mission of improving the lives of its patients." The spokesperson said that the university and the medical center plan to "vigorously defend this action in court."
A Google spokesperson in a statement said the company followed HIPAA guidelines that allow for disclosing personal health information without authorization in certain cases for research. The spokesperson said Google "believe[s] our health care research could help save lives in the future, which is why we take privacy seriously and follow all relevant rules and regulations in our handling of health data."
The lawsuit highlights the difficulty of preserving patient privacy as more companies use patients' health records data to train their machine learning systems, according to STAT News.
According to STAT News, "If the suit can attract more plaintiffs, it could open up a new front in the debate over when and whether patient data can be truly de-identified" (Robbins, STAT News, 6/26; Wakabayashi, New York Times, 6/26; Neidig, The Hill, 6/27).