An Illinois resident has sued Google, along with the University of Chicago and its medical center, over what he alleges is “likely the greatest heist of consumer medical records in history.”
According to the proposed class action, Google attempted to enter the healthcare space in 2017 with a two-pronged approach. First, the company would obtain the electronic health records (EHRs) of “nearlyevery patientfrom the University of Chicago Medical Center (UCMC) from 2009 to 2016.” The company would then, the suit continues, file a patent for its own “proprietary and commercial EHR system” that would be kept quiet until after it had obtained hundreds of thousands of EHRs from the university.
Indeed, the search giant needed “massive amounts of identifiable medical records” to develop the type of healthcare technologies most “in line” with its data mining and analytics platforms, the lawsuit says, adding that access to this type of data is “extremely elusive.” Google allegedly made repeated attempts at obtaining identifiable medical records but was rebuffed by hospitals, researchers and healthcare providers until it linked up with the University of Chicago.
According to the complaint, Google flew “under the radar” as it collected a trove of information from UCMC that included everything from usernames, passwords and credit card numbers to highly sensitive private medical information detailing a patient’s medical afflictions, height, weight, recent medical procedures and mental health conditions. This is all despite the fact that the University of Chicago, the plaintiff says, promised on its admission forms that it would not disclose patients’ private information to third parties for commercial purposes.
“[T]he University did not notify its patients, let alone obtain their express consent, before turning over their confidential medical records to Google for its own commercial gain,” the case says.
Google and the University of Chicago attempted to provide “a false sense of security” over the EHRs disclosure and claimed that the medical records were de-identified. The plaintiff argues, however, that this claim was “incredibly misleading” given that the records included detailed time stamps and “copious free-text notes.” Google, a prolific data-mining company, is able to determine the identity of nearly every record it’s come to possess from the university, the lawsuit says.
The lawsuit goes out of its way to chastise the University of Chicago, particularly for its alleged cover up of the breach. The suit argues that while the public has more or less come to expect public misinformation campaigns from a tech company, it’s “truly stunning” that an institution such as the school would engage in such.
Through a spokesperson, the University of Chicago said that its medical center “entered into a research partnership with Google as part of the Medical Center’s continuing efforts to improve the lives of its patients” and that this research partnership “was appropriate and legal.”