Google’s Project Nightingale: The largest transfer to date of private medical data to the tech giant

Last week, the Wall Street Journal broke the news that Ascension Healthcare, the second-largest healthcare provider in the US, has partnered with Google in a venture called Project Nightingale to transfer personal health data on millions of patients to the giant technology company’s cloud-based platforms, the largest trove of such information to date.

On the same day that the Journal broke the news, the two entities released a joint press statement confirming their relationship, which involves personal medical data from the entire spread of Ascension, a Catholic network of 2,600 hospitals, clinics, and other medical outlets, spanning 21 states involving more than 50 million medical records. Secret negotiations began a year ago, and thus far 10 million medical files have been uploaded with completion of the transfer scheduled for March 2020. Both companies have assured compliance with government regulatory processes.

What has many critics concerned about the project is the secretive manner in which the negotiations had been conducted and the unprecedented nature of the size and type of information being shared. At no time did Ascension or Google attempt to inform the doctors or their patients or obtain their consent.

Data sharing between healthcare and technology companies has typically occurred with de-identified data or, in other words, data stripped of all identifying information such that it can’t be traced back to the individual in question.

However, in this case the records being transferred include the names of patients, personal data such as addresses, employer, and medical record numbers. These are tied to their health history, which can include data like their medication list, physiological characteristics, genetic tests, their sexual and psychological reports, and other studies such as various imaging and special procedures such as echocardiograms or colonoscopies, and sundry blood tests. Google will have access to sensitive surgical reports and detailed pathology review of tissues. Accidental breach of the data or intentional covert sharing of the most intimate and private information can have devastating impact on the lives of millions of people.

For the past two decades Google has been facing accusations of repeated privacy violation to include a recent settlement that requires Google and YouTube to pay $136 million to the Federal Trade Commission and $34 million to the State of New York for allegedly violating Children’s Online Privacy Protection Act Rule by targeting advertisement on their children channels.

Google has also been cited for collaborating on patient data transfers with the Royal Free National Health Service Foundation Trust in the UK, DeepMind Technologies (acquired by Google in 2014), and the University of Chicago Medical Center at the University of Chicago where data was not properly de-identified.

Google has also allied with the military, providing them with artificial intelligence software that provides the US military and intelligence community the ability to prosecute their endless wars in the Middle East. The intimate relationship that exists between the giant technology company and the state should give serious concerns about the potential for how this data could be used against the working class. The National Security Agency has been collecting records of phone calls and text messages of millions of Americans. It is certainly conceivable that with Google’s ongoing artificial intelligence (AI) development these formidable tools will even further enhance the state’s repressive capacity.

The coordinated Wall Street Journal reporting on the behind the scene negotiations in conjunction with the release of the press statement by Google and Ascension are characteristic of a damage-control release of information to buffer public concerns and criticism. The tone of the Journal articles is matter of fact and superficial, lacking substantive analysis despite the potentially catastrophic and massive violation of patient privacy involved in this enterprise.

Last week also saw the Guardian reporting on an anonymous whistleblower who works on Project Nightingale. The paper did not make public the content of the whistleblower’s documents other than stating, “Among the documents are the notes of a private meeting held by Ascension operatives involved in Project Nightingale. In it, they raise serious concerns about the way patients’ personal health information will be used by Google to build new artificial intelligence and other tools.”

In a video the whistleblower expressed troubling concerns that the operations have been kept hidden from patients and the public at large. Unlike previous efforts by healthcare organizations to transfer de-identified data to technology companies, the data transfer with all the personal details included will be accessible to more than 150 Google staff and could potentially, through negligence or intent, be hacked or released. At stake are serious violations of federal rules on data privacy and breach of sensitive patient information that have yet to be challenged.

A video released by the whistleblower that supposedly detailed the “confidential outlines of Project Nightingale” has since been removed by Daily Motion, a French-based video-sharing technology platform, citing a breach of its terms of use.

Following these reports, lawmakers have jumped in the fray, suggesting the arrangement between Google and Ascension runs contrary to federal privacy rules regarding medical records. The Health Insurance Portability and Accountability Act of 1996 (HIPPA) was created to stipulate how personally identifiable information had to be maintained by the healthcare and insurance industries to protect them from fraud and theft.

Senator Mark Warner (Democrat, Virginia) has been one of a handful of legislators decrying the largest effort so far by a technology company to enter the healthcare industry.

Healthcare in the United States is a multi-trillion-dollar industry where technology giants have been attempting to position themselves to compete for lucrative contracts against outmoded and inefficient processes that have led to rising costs. The medical technology field has seen Amazon, Apple, Google, and Microsoft competing to capture larger shares of the market with forays into medical research, electronic medical record systems, logistics, and transportation as well as the use of apps and software to track variety of ailments and conditions.

Legislators have called for a moratorium on Project Nightingale until further investigations into the nature of these arrangements can be conducted. According to Senator Warner, “Allowing already-dominant technology platforms to leverage their hold over consumer data to gain entrenched positions in the health sector is a worrying prospect.” However, according to The Hill, experts in healthcare policy do not consider the partnership to be a HIPPA violation, as the 1996 law allows for a broad definition of “business associate” and makes an exception for data used for quality improvements.

Given the rising cost of healthcare and the need for critical operating revenues, the present collaboration between Ascension Healthcare and Google intends to use artificial intelligence to more rapidly read and analyze electronic health records to capture all pertinent diagnoses and compete in the tightening market of healthcare delivery. As the New York Times noted, “Already, the two organizations are testing software that allows medical providers to search patient’s electronic health records by specific categories and create graphs of the information, like blood test results over time.”

Significantly, Project Nightingale has been a bonanza for Google and its AI programs. Engineers require large troves of accurate data to sift through in order to improve predictions in their AI algorithms. Access to Ascension’s data files linked to real names and identifications will allow them to prospectively analyze their predictions and develop “total” profiles on people which can be used for the most nefarious purposes, from firing workers for breaches of company “health practices” to developing health files which can be used to persecute political opponents.