The University of Chicago Medical Center and Google may soon be headed to court over allegations of violating federal privacy law.
A class action lawsuit filed by Edelson P.C. on behalf of plaintiff Matt Dinerstein accuses the hospitals of sharing patient health records with the internet giant, which allegedly used information such as datestamps and free-text notes, to create its own EHR management system.
“Only months after the transfer was complete did it become public that the datestamps, along with free-text notes data, were only provided by the University, and not by any other hospital working with Google,” Dinerstein told Cook County Record
. “That’s not simply a coincidence or a failure to persuade on the part of Google. Rather, the reason no other hospital, including the other health care providers partnering with Google, provided this type of information is because it would be a prima facie violation of HIPAA to share or even receive medical records in this form.”
The university’s patient admission forms prohibit the disclosure of records to third parties for commercial uses, according to the suit. Google and UC are said to have lied that the records did not contain individual patient information due to including “detailed datestamps” and “copious free text notes,” and that most “hospitals, researchers and health care providers alike” denied Google’s effort, as it violated the Health Insurance Portability and Accountability Act (HIPAA).
The University of Chicago Medical Center denies all allegations. “The claims in this lawsuit are without merit. The University of Chicago Medical Center has complied with the laws and regulations applicable to patient privacy," a spokesperson told HCB News in a statement. "The Medical Center entered into a research partnership with Google as part of the Medical Center’s continuing efforts to improve the lives of its patients. That research partnership was appropriate and legal and the claims asserted in this case are baseless and a disservice to the Medical Center’s fundamental mission of improving the lives of its patients. The University and the Medical Center will vigorously defend this action in court.”
It goes on to say that using geolocation information, “Google — as one of the most prolific data mining companies — is uniquely able to determine the identity of almost every medical record the university released,” and that it planned to obtain the EHRs of nearly every UC Medical Center patient from 2009 to 2016 and then “file a patent for its own proprietary and commercial EHR system that wouldn’t be published until well after it had obtained hundreds of thousands of EHRs from the university.”
Dinerstein, who spent parts of eight days at the UC Medical Center in June 2015, says “numerous pages of health records” were published, and that in using his smartphone at the hospital, the company was able to link his unnamed records to his other personal information through Google software and accounts on the device. He alleges that Google used DeepMind, a subsidiary, to assess the records and create commercial products by using AI to make connections between hospital records and Google user data, and that a January 2018 article published by the two in Digital Medicine, at nature.com, describes the research and methodology and acknowledges the contents of the record.
Dinerstein says the class will include “hundreds of thousands of individuals.” He is seeking damages, class certification, a jury trial, an injunction forcing UC to obey HIPAA regulations, a court order barring it from disclosing records without patient consent, and another prohibiting Google from using, and forcing it to delete, the records it obtained from the school.
Formal complaints include a violation of the Consumer Fraud and Deceptive Business Practices Act and breach of express or implied contract against UC, tortious interference with contract, and unjust enrichment against Google, and intrusion upon seclusion against both.
Google did not respond for comment.