11.20.19

Cassidy, Senate Colleagues Demand Answers in Google, Ascension Health Data Harvesting

WASHINGTON - Following alarming reports of Google’s efforts to obtain the health records of millions of Americans through their partnership with Ascension, U.S. Senator Bill Cassidy, M.D. (R-LA) and Senate colleagues wrote Google today demanding answers to the serious questions and concerns raised by “Project Nightingale.” 

“We write with concern over reports that Ascension has entered into a partnership that provides Google with the health records of tens of millions of Americans without their awareness or consent,” the senators wrote. “Health information and records of medical care are exceptionally sensitive information that, when mishandled, expose patients to embarrassment, discrimination, exploitation, and other harms. Based on prior privacy violations and security failures from the company, we have substantial concerns about how Google will handle patient data and use health records for other purposes.

Google’s “Project Nightingale” allowed the company access to the personal health data of 50 million or more patients – all reportedly provided without their knowledge or the ability to opt-out of the data sharing. In today’s letter, Blumenthal, Warren, and Cassidy demanded Google provide substantive responses to how such a vast amount of private, personal health data was surreptitiously collected, and how Google plans to use it. 

Cassidy met with representatives from Google today to discuss the ongoing issue of how to best secure patients’ health data.

The full text of the letter is available here and copied below.

Dear Mr. Pichai and Mr. Shaukat:

            We write with concern over reports that Ascension has entered into a partnership that provides Google with the health records of tens of millions of Americans without their awareness or consent. Health information and records of medical care are exceptionally sensitive information that, when mishandled, expose patients to embarrassment, discrimination, exploitation, and other harms. Based on prior privacy violations and security failures from the company, we have substantial concerns about how Google will handle patient data and use health records for other purposes.

            On November 10, 2019, the Wall Street Journal (Journal) disclosed Project Nightingale, a business partnership that began in secret last year, where Google has been developing and managing the infrastructure of the health care provider Ascension.[1] As the second largest provider in the United States, Ascension is providing Google with access to the personal data of roughly 50 million or more patients collected from 2,600 hospitals, clinics and other medical outlets located in 21 states. According to another report from The Guardian, employees of Ascension raised concerns about the secrecy and security of the project.[2] One individual involved with the project has written to express concerns that patients were not provided notice or the ability to opt-out of the data sharing.[3]

According to Journal, Ascension had hoped to use Google’s services not solely for maintenance and search of medical records, but for business analytics and other additional purposes, such as to identify additional tests and generate more revenue. In an internal presentation leaked online, Google had pitched Project Nightingale for addressing “missed opportunities for revenue” as a potential use case for its platform.[4] Additionally, as recently as September 2019, Google engineers had appeared to raise concerns that Google’s Cloud Platform was not uniformly compliant with Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule.[5]This is particularly alarming since Google had reportedly already obtained around 10 million health files from Ascension.

Project Nightingale invokes substantial privacy and competition concerns. Regulators and medical practitioners around the world have raised concerns about Google’s entry and behavior in the health sector.[6] Access to tens of millions of patient records provides Google with an immense resource to build artificial intelligence systems and other tools that could be used elsewhere in the health sector and advertising markets.

Reports of Google’s collection of personal health data raise additional red flags in light of recent news that Google is attempting to acquire FitBit, Inc. amidst a federal antitrust investigation.[7] Google’s proposed acquisition would give it control over “troves of the most intimate details of its users’ physical health, from their heart rate to their exercise routines to how many hours they sleep at night.”[8] Given this further evidence of Google’s attempts to gain access to mass amounts of personal health data, it is increasingly urgent that you address questions around its collection and use.

Given the sensitivity and seriousness of the matter, we request a written response to the following questions by December 6, 2019:

1.      Please list all health systems, providers, insurers, or any other entity for which Google provides services related to electronic medical records.

a.       Does Google have any agreements with these entities under which personal health information is provided to Google? If so, please list and describe all such agreements. 

2.      Are Ascension patients provided notice of Google’s retention and use of electronic medical records?

3.      Will Ascension patients be provided the ability to opt out of the use of their heath information for what is medically or operationally necessary to provide patient care? Has Google affirmatively sought permission from patients for any use of this data?

4.      Did Google’s agreement with Ascension allow Google to perform research or analysis of patient data outside the direct scope of what was medically or operationally necessary to provide patient care? Would genetic information be included? Please list all planned or considered research or analysis.

5.       Is Google using or intending to use this data for targeting individuals with advertisements? Is Google using or intending to use this data to identify services that would be targeted at specific individuals?

6.      What procedures are in place that govern Google’s use of health information from Ascension for research or analysis? Who is responsible for approving such research?

7.      Is Google permitted to use information (aside from patient records) derived from Project Nightingale, such as machine learning models built from patient data, for contracts with other health providers and for other business purposes?

8.      Are all products and services, including the versions used in Project Nightingale, compliant with HIPAA?

9.      Do Google employees have direct access to the electronic medical records from Ascension? How many Google employees and which divisions of Google have access to patient data? Under what conditions can Google employees access Ascension data? Could a Google employee theoretically see the patient data of an acquaintance?

10.  When did Google begin obtaining personal health information from Ascension?

a.       What are the terms and conditions of the contract between Google and Ascension?  Specifically,
Is Google paying Ascension for this data or any services related to this data, and if so, how much?

b.      What specific uses of the data by Google are allowed under the contract?

c.       Could Google combine Ascension data with individual search and location data to create and leverage bolstered individual profiles?

d.      Does the contract prevent or restrict Ascension from disclosing the data sharing agreement, or providing patients with information indicating that their health information will be shared?  

11.  What is the full and complete list of patient-level information that Google is receiving from Ascension?

12.  How many individuals’ health records has Google received under “Project Nightingale?”   

13.  How is Google protecting the information it is receiving from Ascension? Is the information encrypted? Is the data stripped of any information that could be used to identify patients, either independently or with any additional information that Google may have already collected through its other services? 

###