A federal appeals panel won’t reboot a class action accusing Google and the University of Chicago Medical Center of violating patient privacy laws, a complaint rooted in allegations of harvesting patient data so the tech giant could build a new health record management system.
In September 2020, U.S. District Judge Rebecca Pallmeyer said plaintiffs couldn’t show how anyone was actually harmed by the alleged sharing of patient information or the alleged breach of the confidentiality contract between patients and the hospital. The parties argued the plaintiffs’ appeal of that ruling before a U.S. Seventh Circuit Court of Appeals panel in September 2021.
Judge Diane Sykes wrote the panel’s opinion, issued July 11; Judges Joel Flaum and Thomas Kirsch concurred.
According to court records, Google sought to use artificial intelligence to anticipate patient needs. The UC Medical Center said it anonymized medical records before giving them to Google to use for training algorithms. The parties have been in court on the privacy violation claims since June 2019, when attorneys from Edelson P.C., the prominent Chicago class action law firm, sued in Chicago federal court on behalf of named plaintiff Matt Dinerstein.
“Dinerstein omitted from his opening brief any discussion about the claims for unjust enrichment or breach of an implied contract,” Sykes wrote. “By doing so, he abandoned these claims on appeal, and we need not consider them,” leaving claims about privacy, breach of express contract, consumer fraud and contractual interference.
Arguing before Pallmeyer, Dinerstein asked her to agree the Illinois Supreme Court, if given the chance, would agree medical providers have a common-law duty to maintain patient confidentiality. Although Pallmeyer didn’t address the question, Sykes wrote, “Dinerstein has chosen to stick with the new version of his privacy claim on appeal.”
Dinerstein didn’t allege Google figured out his identity, the panel said, but argued the transfer of records gives him grounds for a lawsuit and further contended the UC records weren’t sufficiently rendered anonymous. However, the panel said, his only evidence for the latter argument is a presentation a school official made to Google discussing typical deficiencies in de-identification, with no specifics about his individual records.
“Aside from the date stamps, Dinerstein does not pinpoint any information within the records that he thinks should have been redacted and was not,” Sykes wrote. “Nor does he allege that the date stamps alone were impermissibly identifying. At most he alleges that some personally identifying information ‘may have evaded redaction’ — a hypothetical that does not support his repeated but conclusory assertions that the University’s records were insufficiently anonymized.”
Allegations concerning Google, the panel continued, were similarly hypothetical because Dinerstein’s allegations addressed future conduct. Sykes said a claim for “imminent and substantial” risk of harm can only be used to seek forward-looking relief, such as an injunction, and not financial damages. The panel also said Google and UC had a contract expressly prohibiting the use of records to identify anyone and Dinerstein makes no allegations Google has or will violate that provision.
The breach of contract claim addressed only the university as it concerned privacy practice notices patients sign during the hospital admissions process. The panel said Dinerstein’s privacy interests failed to qualify for standing under this claim as well. It then analyzed his argument he either overpaid for medical treatment or was undercompensated for his medical records, as well as that the alleged breach is on its own an injury that gives him standing to sue.
Beyond the release Dinerstein signed agreeing he wasn’t entitled to compensation for use of medical information, the panel said state law doesn’t grant property interest in medical records, which belong to the provider. On his contract claim, the panel found Dinerstein didn’t adequately allege the breach was anything more than a legal injury. To establish standing, he would’ve needed to allege a concrete harm.
“We need not spend much time addressing the tortious-interference and consumer-fraud claims,” Sykes wrote. “Both rest on the same allegations of a privacy, pecuniary or contractual injury that we’ve already examined and deemed insufficient to confer standing."
The University of Chicago has been represented by attorney Brian D. Sieve, and others with the firm of Kirkland & Ellis LLP, of Chicago.
Google has been represented by attorneys with the firms of Cooley LLP, of San Francisco, and Neal & McDevitt, of Northfield.