The personal medical data of up to 50 million Americans will be transferred to Google and accessible to staff as part of a secret deal, a whistleblower has claimed.
Google’s deal with Ascension, one of the largest healthcare providers in the US, is now the subject of inquiry by the federal regulator after news of the agreement was first reported earlier this week.
The Wall Street Journal reported on Monday that Google had partnered with Ascension to transfer the detailed medical records from the healthcare provider, which were spread across 40 data centres in more than a dozen US states, to Google Cloud.
This means that Google will be able to access the health records, names and addresses included in the data without informing the patients or doctors.
The records include lab results, diagnoses, records of hospitalisations and dates of birth.
The deal is the biggest of its kind that Google has signed, and is part of the tech titan’s play to be the leading healthcare data and analytics platform.
The company plans to develop artificial intelligence tools to help predict health patterns and improve treatment, and will also close a deal to acquire FitBit next year.
After the secret plan - dubbed Project Nightingale - was revealed, Google claimed in a blog post that it was “standard practice” and was about supporting Ascension with “technology that helps them to deliver better care to patients across the United States”.
According to Google, the healthcare company will “use Google to securely manage their patient data, under strict privacy and security standards”.
“They are the stewards of the data, and we provide services on their behalf,” the post said.
“It’s understandable that people want to ask questions about our work with Ascension. We’re proud of the important work that we’re doing as a cloud technology partner for healthcare companies.
“Modernising the healthcare industry is a critically important task, with the ultimate result not just digital transformation, but also improving patient outcomes and saving lives.”
According to Google, the deal adheres to all relevant data privacy laws, and there will be “strict guidance” on privacy, security and usage.
“Under this arrangement, Ascension’s data cannot be used for any other purpose than for providing these services we’re offering under the agreement, and patient data cannot and will not be combined with any Google consumer data,” the company said.
But a Project Nightingale whistleblower has said that the medical data has not been de-identified and can be accessed freely by Google employees.
The anonymous whistleblower posted a video to Daily Motion, and also released hundreds of images of confidential files about the project.
“I must speak out about the things that are going on behind the scenes,” the whistleblower said.
The video reveals the four “pillars” of the project, with the first two relating to moving the data to the Google Cloud. The third is using this data to build a framework, while the fourth stage is using this data to mine patient information, run analytics and algorithms and share this with third parties for things like targeted advertising.
The leaked documents include Ascension employees raising major concerns about the way this highly personal data is being handled, and fears that it may be in breach of the law.
The whistleblower said there are concerns among the Project Nightingale employees.
“Most Americans would feel uncomfortable if they knew their data was being haphazardly transferred to Google without proper safeguards and security in place,” the whistleblower told The Guardian.
“This is a totally new way of doing things. Do you want your most personal information transferred to Google? I think a lot of people would say no.
“Patients haven’t been told how Ascension is using their data and have not consented to their data being transferred to the cloud or being used by Google. At the very least patients should be told and be able to opt in or opt out.”
The whistleblower said they are also concerned about so much data being accumulated by one tech company, and how this may be used in the future.
“In the future, such risks are only likely to grow,” they said. “This is the last frontier of extremely sensitive data that needs to be protected.”