Verily, owned by Alphabet, is facing a lawsuit filed by an ex-employee who alleges the misuse of the personally identifiable health information of over 25,000 patients, and the failure of the company to submit HIPAA breach reports, as per the Health Insurance Portability and Accountability Act (HIPAA) requirement.
Verily, previously known as Google Life Sciences, is a research institution owned by Alphabet, Google’s parent organization. The Verily platform uses AI-powered health solutions that assist pharmaceutical companies in getting new treatments to market faster and help health systems and payers enhance patient results at a cheaper price. The legal action claims that an internal inspection verified the HIPAA breaches related to HIPAA-secured information extracted from 14 HIPAA-covered entities. The lawsuit states patient information was used without consent, a HIPAA Privacy Rule violation. Additionally, the investigation uncovered instances of patient information misuse, but Verily did not disclose the data breach, delaying notifications as contract renewals were negotiated with the impacted regulated entities, a violation of the HIPAA Breach Notification Rule.
Although the lawsuit was filed in 2024 by Ryan Sloan, Verily Onduo’s ex-chief commercial officer, the media failed to report it until CNBC noticed the lawsuit and reported it. The defendants filed a motion to dismiss or a resolution through settlement, but did not succeed. The lawsuit is now pending in the U.S. District Court for the Northern District of California in San Francisco.
Verily hired Sloan in 2020 until his contract was ended in January 2023. Sloan states that in January 2022, he, together with Onduo’s general counsel, Julia Feldman, found HIPAA violations and filed a report with the senior management. Sloan mentioned the use of patient data for research, advertising campaigns, national conferences, and press releases, which aren’t allowed by the HIPAA Privacy Rule except with the patients’ consent.
Sloan asserts that he and Feldman repeatedly brought up the issue with senior management. Verily conducted an internal investigation that confirmed several HIPAA breaches of business associate agreements (BAAs) with HIPAA-regulated entities, including Highmark Health, Quest Diagnostics, Walgreens Boots Alliance, and others. Even with the confirmed HIPAA breaches, Sloan claims Verily did not issue any notification.
He states that in August 2022, during a contact negotiation with Highmark Health, Verily stated that it was HIPAA-compliant at all times, even though the company is aware of the confirmed HIPAA violations, which affected Highmark Health data. The lawsuit alleges that Feldman was fired in August, together with another person who knew of the HIPAA breaches. Sloan was dismissed from work in January 2023, which he says was because of continuously bringing up the HIPAA violation issues and the whitewash of the HIPAA breaches.
Without a private cause of action under HIPAA, people cannot file suit for HIPAA violations. Only the state attorneys general and the HHS’ Office for Civil Rights (OCR) are authorized to file a lawsuit for HIPAA violations. The Sloan v. Verily Life Sciences LLC lawsuit alleges that Verily hit back at Sloan after he brought up the HIPAA violations, which is a breach of his work contract. Verily rejects the accusations.
Verily states that the accusations and contentions claimed in this employment issue, starting in 2023, lack merit. Verily will defend itself in court and stands by its assertion that it provides equal opportunity as an employer, and seriously complies with all laws and regulations.
Image credit: Suriyo, AdobeStock / logo©Verily
