Judge dismisses data privacy suit against University of Chicago and Google
Back in 2019, Healthcare IT News reported on a unique privacy case involving Google and the University of Chicago Medical Center – which had been named as defendants in a class action suit alleging that they’d failed to properly de-identify data used for machine learning research and predictive analytics projects.
The suit’s plaintiff, Daniel Dinerstein, who was a patient at UChicago in 2015, alleged that, while Google and UCMC claimed the medical records used were de-identified, such a claim was “misleading.”
Given that the data provided to Google by the university “included detailed datestamps and copious free-text notes,” he alleged, the tech giant’s expertise in data mining and artificial intelligence made it “uniquely able to determine the identity of almost every medical record the university released.”
On September 4, Judge Rebecca R. Pallmeyer of the U.S. District Court for the Northern District of Illinois granted the University of Chicago and Google’s motions to dismiss the suit.
“Plaintiff suggests that the risk of re-identification was in fact substantial because of the information Google already possesses about individuals through the other services it provides,” Pallmeyer writes in her decision.
“Specifically, the amended complaint refers to Google as ‘one of the largest and most comprehensive data mining companies in the world, drawing data from thousands of sources and compiling information about individuals’ personal traits (gender, age, sexuality, race), personal habits, purchases, and associations.’ Google has ‘create[d] detailed profiles of millions of Americans,’ including public and nonpublic information, and ‘possess[es] detailed geolocation information that it can use to pinpoint and match exactly when certain people entered and visited the University’s hospital,’ according to the amended complaint,” she explained.
“In fact, for a user of Google applications like Mr. Dinerstein, Google can track the specific University hospital buildings or departments he visited and the time of his visits. Plaintiff alleges that the combination of such geolocation information and the EHRs, which include the date and time of hospital services, ‘creates a perfect formulation of data points for Google to identify who the patients in those records really are.’ The amended complaint does not allege, however, that Google has in fact used its extensive data to re-identify any EHRs.”
The use of de-identified data has been common for years, of course. But so have challenges around keeping it that way. As far back as 2010, the Office of the National Coordinator for Health IT was studying how to manage the privacy risks presented by health information that had been stripped of personal identifiers – the potential for “re-identification.”
The contours of this University of Chicago case are similar in some respects to the so-called “Project Nightingale” initiative between Google and Ascension, which got lots of mainstream media attention this past November, amid concerns over how the Mountain View, California, company was using patient data to help inform its design of new AI and machine learning software for Ascension.
In many respects, the collaboration “is not unlike arrangements that happen every day in America between hospitals and other covered entities and contractors performing services on their behalf,” Deven McGraw, former deputy director for health information privacy at the HHS Office for Civil Rights and now chief regulatory officer at health data startup Ciitizen, said at the time. “Many hospitals have hundreds of business associates, all with extensive access to PHI.
But Google isn’t just any vendor, McGraw acknowledged. It “has access to so much other data about individuals,” she said, and therefore understood concerns that “it may not be possible for data to be truly de-identified in their hands, given all of the data to which they have access.”
As long as Google “fulfills its privacy and security obligations under HIPAA with regard to the protected health information provided by Ascension, there is no HIPAA issue on the face of things,” added healthcare attorney Matthew Fisher, partner at Westborough, Massachusetts-based Mirick, O’Connell, DeMallie & Lougee. “However, given the enormous amount of data held by Google, a maybe not so academic question exists of whether data can be de-identified when in Google’s possession.”