CHICAGO — Google and the University of Chicago Medical Center are facing a class action lawsuit accusing the hospital of violating federal privacy law by sharing patient health records with Google, which the internet giant allegedly used to create its own electronic health record management system.
On June 26, attorneys from the firm of Edelson P.C. filed a complaint in Chicago federal court on behalf of named plaintiff Matt Dinerstein. The lawsuit alleges Google “pulled off what is likely the greatest heist of consumer medical records in history.” Saying personal information such as credit card and Social Security numbers is “run-of-the-mill” data, the lawsuit said “the personal medical information obtained by Google is the most sensitive and intimate information in an individual’s life, and its unauthorized disclosure is far more damaging to an individual’s privacy.”
According to the complaint, Google in 2017 enacted a plan to obtain electronic health records from nearly every UC Medical Center patient from 2009 to 2016 and then “file a patent for its own proprietary and commercial EHR system that wouldn’t be published until well after it had obtained hundreds of thousands of EHRs from the University.”
Jay Edelson
Dinerstein’s complaint said the university’s patient admission forms promise to not disclose records to third parties for commercial purposes, and further alleged Google and UC falsely claimed the records didn’t contain individual patient information because they “included detailed datestamps and copious free-text notes,” and using detailed geolocation information “Google — as one of the most prolific data mining companies — is uniquely able to determine the identity of almost every medical record the University released.”
The complaint said Google used a direct subsidiary called DeepMind to analyze medical records and create commercial products, using its artificial intelligence machine learning to make connections between hospital records and Google user data. It also said most “hospitals, researchers and health care providers alike” rebuffed Google’s efforts, until it got UC to agree to provide records that should’ve been protected under the Health Insurance Portability and Accountability Act.
Dinerstein said he spent parts of eight days at the UC Medical Center in June 2015, generating “numerous pages of health records.” He said he used his smartphone during the stay, including Google software and accounts, allowing the company to link his unnamed records to his other personal information.
He said UC and Google jointly published a January 2018 article in Digital Medicine, at nature.com, describing the research and methodology while acknowledging the contents of the records.
“Only months after the transfer was complete did it become public that the datestamps, along with free-text notes data, were only provided by the University, and not by any other hospital working with Google,” Dinerstein said. “That’s not simply a coincidence or a failure to persuade on the part of Google. Rather, the reason no other hospital, including the other health care providers partnering with Google, provided this type of information is because it would be a prima facie violation of HIPAA to share or even receive medical records in this form.”
Formal complaints include a violation of the Consumer Fraud and Deceptive Business Practices Act and breach of express or implied contract against UC, tortious interference with contract and unjust enrichment against Google and intrusion upon seclusion against both.
Dinerstein said the class would include “hundreds of thousands of individuals.”
In addition to damages, class certification and a jury trial, Dinerstein seeks an injunction forcing UC to comply with HIPAA regulations, a court order barring it from disclosing records without patient consent and another order prohibiting Google from using and forcing it to delete records it obtained from the school.