Project Nightingale patient data sharing slammed for violating privacy

Occurred: November 2019

An AI-powered collaboration between Google and US healthcare company Ascension came under fire for poor transparency, inadequate security, and violating patient privacy.

Dubbed 'Project Nightingale', the collaboration used Google's advanced data analytics capabilities to improve how information is used for patient care, with Google provided with access to over 50 million Ascension patients' medical records - including names, birthdates and addresses, lab results, diagnoses, and hospitalisation records - drawn from some 2,600 patient care sites, including 50+ senior living facilities and 150 hospitals.

Google used the data to create software powered by advanced artificial intelligence (AI) for patient diagnosis, prescriptions, and treatment recommendations.

However, a Wall Street Journal article revealed that Ascension health care providers had not been informed that the medical records of their patients were being distributed, and the patients never provided consent or were given a choice to opt-out of the programme. 

A few days later a Google whistleblower revealed in The Guardian that Ascension medical records transferred to Google were not properly de-identified, potentially exposing patients' identities and personal details. The whistleblower also revealed that several Google employees involved in the project had already raised concerns about patient privacy, and expressed concerns about Google potentially selling or sharing the data with third parties or using it for targeted advertising based on medical histories. 

Google defended the legaility of the project under the Health Insurance Portability and Accountability Act, but did not clarify if and how the data was de-identified before transfer, or provided assurances against such misuse of the sensitive data. 

The controversy highlighted Project Nightingale's lack of transparency, patient consent, and robust data protection measures, thereby potentially putting the privacy and security of millions of patients at risk. It also raised serious concerns about Google's growing ambitions in the healthcare sector.

➖ March 2018. Ascension and Google began to work together to create tools to identify and predict health concerns before a patient visits a doctor using emergent medical data (EMD).

➖ July 2019. Google mentioned Ascension deal in an earnings call, stating the goal is to "improve the healthcare experience and outcomes". 

➕ November 2019. The US Department of Health and Human Services' Office for Civil Rights opened an investigation into the Google-Ascension partnership to ensure compliance with HIPAA regulations.

➕ December 2019. A number of prominent US senators launched an inquiry into Project Nightingale. 

➕ March 2020. US senators wrote (pdf) to Ascension CEO Joseph Impicciche demanding further information on the type and amount of information Ascension provided to Google, whether the health system provided advance notice to patients about the deal, whether patients could opt-out of data sharing, how many Google employees had access to patient records and how they were approved to gain access.

Operator: Ascension
Developer: Alphabet/Google
Country: USA
Sector: Health
Purpose: Analyse health data
Technology: Machine learning
Issue: Ethics/values; Privacy; Security
Transparency: Governance; Privacy

News, commentary, analysis 🗞️