A former patient of the University of Chicago Medical Center is suing the institution amid claims it violated patients’ privacy rights.
The class-action lawsuit claims records containing identifiable patient information were shared as a result of a partnership between Google and the University of Chicago.
All three institutions are named as defendants in the suit, which was filed Wednesday in the Northern District of Illinois by Matt Dinerstein, who received treatment at the medical center during two hospital stays in 2015.
The collaboration between Google and the University of Chicago was launched in 2017 to study electronic health records and develop new machine-learning techniques to create predictive models that could prevent unplanned hospital readmissions, avoid costly complications and save lives, according to a 2017 news release from the university. The tech giant has similar partnerships with Stanford University and the University of California-San Francisco.
But that partnership violated federal law protecting patient privacy, according to the lawsuit, by allowing Google to access electronic health records of “nearly every patient” at the medical center from 2009 to 2016. The suit also claims Google will use the patient data to develop commercial health care technologies.
According to the lawsuit, Google obtained hundreds of thousands of electronic health records containing “sensitive and intimate information” without patients’ consent. Dinerstein “never gave written consent – or any consent whatsoever – to the University to disclose his confidential medical information to Google,” the lawsuit states.
The lawsuit claims the university breached its contracts with patients by “failing to keep their medical information private and confidential.” It also alleges UChicago violated an Illinois law that prohibits companies from engaging in deceptive practices with clients.
A spokesperson for the University of Chicago said in a statement, “The claims in this lawsuit are without merit. The University of Chicago Medical Center has complied with the laws and regulations applicable to patient privacy. The Medical Center is committed to providing excellent patient care and to protecting patient privacy.”
In launching the partnership, the university and Google said patient data would be kept private and secure, and they would “strictly” follow HIPAA privacy rules. (The Health Insurance Portability and Accountability Act, or HIPAA, is a federal law that requires health care organizations to limit who can access, view or share health data.)
But electronic health records shared with the tech giant included detailed date stamps and copious notes, according to the lawsuit, which claims both Google and UChicago violated HIPAA by “sharing and receiving medical records that included sufficient information for Google to re-identify patients.”
A spokesperson for Google said the company is committed to privacy. “We believe our health care research could help save lives in the future, which is why we take privacy seriously and follow all relevant rules and regulations in our handling of health data. In particular, we take compliance with HIPAA seriously, including in the receipt and use of the limited data set provided by the University of Chicago.”
The lawsuit also claims Google was interested in using the data for commercial purposes and that the company has invested in multiple health-related services and products over the past decade. One of those investments was the 2014 acquisition of DeepMind, a startup company that focused on bringing artificial intelligence and advanced machine learning to the health care industry, according to the lawsuit.
That acquisition, the lawsuit claims, has allowed for Google to find connections between electronic health records and Google users’ data. In 2015, Google and DeepMind obtained patient information from the Royal Free NHS Trust Foundation to conduct a study, which a data protection watchdog organization said “failed to comply with data protection law.”