UChicago Faces Lawsuit for Sharing Patient Data with Google

UChicago Medicine faces a potential class-action lawsuit for allegedly sharing patient information with Google with having the correct authorization to do so.

The lawsuit names UChicago Medicine, UChicago Medical Center, and Google, and was filed by Matt Dinerstein, a former patient of UChicago Medicine.

The suit claims patient information that still had personal identifiers attached was shared with Google without patient authorization being properly obtained.

The information was shared as part of a study aimed to advance the use of artificial intelligence. In 2017, UChicago Medicine started sending patient data to Google as part of a project to look at how historical health record data could be used to predict future medical events. A machine learning algorithm would take the patient data and attempt to predict their future health status based on their past conditions.

The HIPAA Privacy Rule allows such disclosures for research purposes, but only if the patient either gives their consent for the disclosure to be made or the information is stripped of 18 personal identifiers that could make the information traceable to a particular individual. According to Dinerstein, UChicago Medicine did not comply with either of these requirements.

Currently, Dinerstein is the only plaintiff named in the lawsuit. The suit could potentially expand to a class-action lawsuit should other patients come forward and join with Dinerstein.

UChicago Medicine denies any wrongdoing. According to a spokesperson for UChicago Medicine, the claims in the lawsuit are “without merit”. UChicago Medicine denies that they shared any information with a third-party in violation of HIPAA or other regulations protecting patient privacy.

Google confirmed in a 2018 research paper on scalable and accurate deep learning for electronic health records that UChicago Medicine had indeed given Google access to medical records for the study. They stated that all data were deidentified, but dates of service were included in the data set. These included the check-in and check-out times of patients.

Dinerstein’s concern is that, as Google already holds vast quantities of data on individuals, it could potentially tie the UChicago Medicine data to other information to re-identify patients.

The lawsuit claims that since Google acquired DeepMind in 2014, the company has the machine learning technologies to be able to tie medical records to personal information in Google User accounts. As of yet, the law firm has not obtained any evidence to suggest that Google has misused any patient data.

“We believe that not only is this the most significant health care data breach case in our nation’s history, but it is the most egregious given our allegations that the data was voluntarily handed over,” said Jay Edelson, founder of Edelson PC, a law firm that specializes in class action lawsuits against tech companies.

A spokesperson for the hospital stated: “The Medical Center entered into a research partnership with Google as part of the Medical Center’s continuing efforts to improve the lives of its patients. That research partnership was appropriate and legal, and the claims asserted in this case are baseless and a disservice to the Medical Center’s fundamental mission of improving the lives of its patient. The University and the Medical Center will vigorously defend this action in court.”

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Emma Taylor

Emma Taylor is the contributing editor of Defensorum. Emma started on Defensorum as a news writer in 2017 and was promoted to editor in 2022. Emma has written and edited several hundred articles related to IT security and has developed a deep understanding of the sector. You can follow Emma on https://twitter.com/defensorum and contact Emma at emmataylor@defensorum.com.