Google and Private Research University Sued for Sharing Medical Data Without Patient Consent

We may earn a commission from links on this page.
Image for article titled Google and Private Research University Sued for Sharing Medical Data Without Patient Consent
Photo: Getty

In a class-action complaint filed on Wednesday against Google, a private research university and its medical center reveals not only how one of the most powerful companies in the world can obtain your most intimate data, but highlights their ability to piece all of this data together to figure out who you are.

Matt Dinerstein was admitted to the University of Chicago Medical Center in June 2015 for a few days and then admitted again later that month for another few days, according to the lawsuit. The medical center maintained a record including his “demographic information, his vitals, diagnoses, procedures, and prescriptions,” the complaint states. This de-identified medical record was then given to Google, and Dinerstein claims he never gave any type of consent to either the tech giant or the University to disclose such personal information. In fact, the complaint alleges that “the University promised in its patient admission forms that it would not disclose patients’ records to third parties, like Google, for commercial purposes.”

Google obtained the Electronic Health Record (EHR) of “nearly every patient” from the medical center from 2009 through 2016, according to the lawsuit. This includes basic information like someone’s height, weight, and vital signs, but also information on diseases they have, whether they’ve undergone medical procedures, and medications they are on. And while the medical records were allegedly provided to the tech company “de-identified,” Google has powerful tools that would enable it to piece its troves of data together to ultimately identify anonymized information. As the complaint notes, the records also included date stamps and “copious free-text notes.”


It’s not simply unsettling for a massive tech corporation to have access to some of your most intimate data, even if it is allegedly anonymized, but how they can tap into their other resources to shape a more fully formed picture of who that person is. As the complaint notes, in this case, this applies to DeepMind Health, the healthcare arm of the Alphabet-owned artificial intelligence company, as well as Google’s wealth of information on user’s highly specific geolocation history as they move around the world carrying a surveillance device in their pocket. The complaint notes that the latter can be used “to pinpoint and match exactly when certain people entered and exited the University’s hospital.”

As for the former, DeepMind was already in hot water over similar concerns back in November of last year after it was announced that it would be folded into Alphabet, rather than operating independently, with critics pointing out that this went against DeepMind’s promise upon working with the National Health Service that “data will never be connected to Google accounts or services,” the Guardian reported. But the move was allegedly made, according to Google, to continue scaling up DeepMind’s health app Streams.


“Making this about semantics is a sleight of hand,” privacy researcher Julia Powles tweeted at the time. “DeepMind said it would never connect Streams with Google. The whole Streams app is now a Google product. That is an atrocious breach of trust, for an already beleaguered product.”

This is relevant to the concerns echoed in Dinerstein’s dispute—that the entanglement of health data and a powerful tech corporation is a disturbing invasion of privacy, and that such a relationship should involve the consent of the patients whose data is being handed over and dissected and, in turn, likely used for capital gain.


The class-action complaint applies to anyone in the United States whose EHR was given to Google or any of its related entities by the University of Chicago or any of its related entities. It is suing Google and the University for a violation of the Consumer Fraud and Deceptive Business Practices Act, breach of express contract, breach of implied contract, tortious interference with contract, intrusion upon seclusion, and unjust enrichment.

“Without question, the University exploited its patients,” the complaint states. “The University took advantage of the fact that a large number of its patients, due to socio-economic barriers, are not in a position to assert their right to privacy and take steps to ensure that their medical records are not disclosed to a third party for a commercial purpose.”