De-identified data, but not too much. Class action against Google and the University of Chicago

Google and the University of Chicago Medical Center have been sued in a class action for violating patient privacy as a result of a data sharing partnership the parties signed two years ago.

The complaint, filed by Matt Dinerstein in the U.S. District Court for the Northern District Of Illinois, claims UChicago “promised in its patient admission forms that it would not disclose patients’ records to third parties, like Google, for commercial purposes.

Instead, the university “did not notify its patients, let alone obtain their express consent, before turning over their confidential medical records to Google for its own commercial gain” the document states.

Google and the university claimed the medical records were de-identified. But that’s incredibly misleading. The records the University provided Google included detailed datestamps and copious free-text notes.

Google’s expertise in data mining and artificial intelligence, Dinerstein charges, thanks also to Google’s acquisition of the artificial intelligence company DeepMind, means it is “uniquely able to determine the identity of almost every medical record the university released.

In addition to seeking monetary compensation, the suit calls for an injunction requiring the University of Chicago to comply with all HIPAA de-identification regulations, enjoining the organization from disclosing identifiable patient medical records to third parties without first obtaining consent.

It also calls for an injunction prohibiting Google from using patient records obtained from University of Chicago and an order requiring Google to delete all patient records received from the university.

Since electronic health records contain patients’ highly sensitive and detailed medical records, including records revealing not only a person’s height, weight and vital signs, but whether they suffer from certain diseases or have undergone a medical procedure, the University’s release of EHR data would be in violation of HIPAA, Dinerstein’s suit alleges.

The personal medical information obtained by Google is the most sensitive and intimate information in an individual’s life, and its unauthorized disclosure is far more damaging to an individual’s privacy” the lawsuit states.

The themes of de-identification and pseudo de-identification are at the centre of attention both in the USA (HIPAA) and in Europe, where the new European Privacy Regulation (GDPR) came into force last year.

The spread of electronic health records and the presence of information-rich clinical repositories make available a large amount of data, both in structured form and in text form, which have great value for scientific research and development of commercial applications.

To give an idea of the scale of the phenomenon, the global market for big data analytics in health worth over 25 billion dollars, with an annual growth rate of over 28%.

The power of IA technologies and the amount of information that companies like Google possess, make the issue of de-identification very critical. Obscuring personal data is not enough to prevent third parties from identifying people by cross-referencing health care and clinical data with other information.

The enormous amount of data that the giants of the web possess, including social media, e-mail, shopping, travel to name a few, make it very difficult to preserve the identity of clinical data even if anonymously.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s