Google Secretly Harvests the Health Data of Millions
Google Secretly Harvests the Health Data of Millions
Carlos Luna/ Flickr
Google has been harvesting the health data of tens of millions of U.S.
patients since 2018, unbeknownst to those patients or their doctors, as
revealed by a Nov. 11 investigation by the Wall Street Journal. According to
the story, Ascension, a private network of some 2,600 hospitals and other
health care facilities, had been systematically feeding the medical
information to Google's cloud infrastructure in what amounts to the largest
data transfer in the health care field. Google, in turn, plans to "suggest"
changes to patients' care, possibly via machine learning.
Google and Ascension confirmed the reports, insisting the agreement-dubbed
"Project Nightingale"-was a legal, innocuous advancement in medical-data
processing. Both companies intimated, chillingly, that Google's AI
applications would use the data to predict patient conditions and determine
treatments, among other recommendations.
Media coverage of Project Nightingale has focused chiefly on the operation
as a potential watershed in medical-privacy legislation. It's not known yet
whether the data transfer was compliant with the Health Insurance
Portability and Accountability Act (HIPAA), which governs how health
insurance companies share medical information with their "business
associates"; now, the Department of Health and Human Services (HHS) is
reportedly probing the project's lawfulness. Some have posited that HIPAA is
due for an overhaul, reasoning that the 1996 law is unequipped to regulate
Google's ever-evolving digital architecture.
Related Articles
Google Secretly Expands Tech Empire Across the U.S., Getting Millions in Tax
Breaks
Google Secretly Expands Tech Empire Across the U.S., Getting Millions in Tax
Breaks
by Ilana Novick
Google Is Making Billions at the Media's Expense
Google Is Making Billions at the Media's Expense
by Jacob Sugarman
Google Sets Record Straight on 'Location History' Setting
by RYAN NAKASHIMA / The Associated Press
Yet these concerns, valid as they may be, ignore the crux of the matter.
Project Nightingale isn't a flaw to be corrected with incremental
improvements in privacy law; it's an indictment of privatized health care
altogether.
To treat Project Nightingale as a product of failed privacy policy, and not
of a for-profit health care system, is effectively to absolve Google and
Ascension. Historically, digital-privacy regulations (or the threat of them)
have come at virtually no expense to tech corporations.
Facebook, perhaps the most high-profile offender on privacy issues, has
created a number of scandals for itself, from lying about users' control
over their data to funneling user information to the right-wing political
consultancy firm Cambridge Analytica. The company's penalty: minor privacy
policy tweaks and a $5 billion Federal Trade Commission
fine-slap-on-the-wrist caliber for a company worth over $550 billion.
Meanwhile, Google's privacy breaches-from nonconsensual location tracking to
collection of data on minors-have incurred federal finger-wags and fines as
paltry, relatively speaking, as $170 million. (Google's market
capitalization exceeds $900 billion.)
In the interest of staving off additional regulation, Facebook and Google
have already begun to seize the privacy narrative. Last spring, Mark
Zuckerberg unveiled a "privacy-focused" Facebook redesign including message
encryption and ephemeral, rather than permanent, posts-changes that sound
constructive while still permitting the company to profile users' locations,
ages, browsing habits and other traits in the name of targeted advertising.
Similarly, Google CEO Sundar Pichai penned an op-ed for The New York Times
in which he crowed about giving users the "choice" to control their
privacy-trusting that the average Google user won't pore over the minutiae
of their privacy settings-and assured readers that data collection, somehow,
benefits everyone. Not coincidentally, Facebook and Google have donated to
major think tanks and nonprofits in a bid to influence privacy legislation.
Considering this, it's difficult to envision HIPAA reining in a company like
Google. When companies do violate HIPAA, the standard penalty, as in tech
privacy violations, is a fine. In 2018, Beckers Hospital Review noted three
"major" cases of HIPAA violations. Filefax, a defunct medical records
management company, was fined $100 million for a 2015 data breach affecting
2,150 patients. Massachusetts company Fresenius Medical Care North America,
part of an international network that boasted soaring profits in October,
paid $3.5 million in the wake of five separate breaches. MD Anderson Cancer
Center, a Texas hospital with revenues of $5.2 billion in 2018, paid $4.3
million in civil penalties for three breaches.
If Project Nightingale isn't HIPAA compliant, as at least one whistleblower
has warned, there's too much evidence of corporate latitude in privacy law
to believe Google and Ascension will be restricted in any meaningful way. If
it is HIPAA compliant, as The Atlantic has argued, HIPAA will at best be
faintly modified to account for digital medical processing, with no real
impact on health care corporations.
In either case, the problem isn't that Project Nightingale may have violated
HIPAA, or that HIPAA is antiquated. It's that, regardless of the form the
legislation takes, HIPAA and other health-data laws will continue to be a
plank in the legal framework that codifies health care as a business. As
Mason Marks recently wrote for Slate, a bill proposed this year by Sens. Amy
Klobuchar, D-Minn., and Lisa Murkowski, R-Alaska, said the Protecting
Personal Health Data Act "actually creates a safe harbor for products that
mine [predictive health data], including those that collect personal health
data 'derived solely from other information that is not personal health
data.'"
Thus, even with full HIPAA and other legal adherence, corporations retain an
incentive to work in tandem with hospitals and insurance companies in all
sorts of data-centric capacities-hence Amazon, Apple and other tech firms'
hunger for a piece of the lucrative health care industry pie.
The only way to prevent the further monetization of health care data, then,
is the complete removal of the profit motive from health care. Alphabet,
Google's parent company, reportedly plans to apply and sell AI to health
insurance companies and has invested in health insurance companies Oscar,
Clover, and Collected Health. Apple and Amazon are in close proximity to
other insurance companies, likely seeking to convert data into expensive
medical procedures. The antidote isn't simply better laws; it's a fully
publicly funded, single-payer system.
This, of course, isn't a new observation: Public support for single-payer
health care is overwhelming, despite what many policymakers would have their
constituents believe. And when a toothless HHS investigation of Project
Nightingale is legislators' idea of justice for medical patients, that
support will only grow more robust.
Julianne Tveten
Julianne Tveten's work has appeared at In These Times, Fairness & Accuracy
In Reporting, The Nation, Pacifica Radio and elsewhere.
Julianne Tveten
