Security News

Concerns Raised Over Google's Deal to Store Data of 50 Million Patients

Google is drawing fire over its Project Nightingale, which involves the transfer of medical data - from Ascension, the USA's second-largest healthcare provider - of 50 million Americans.

The idea is that data from Ascension's network of 2,600 hospitals, clinics and medical outlets will have AI applied to it in the hope of, among other things, recommending better treatment plans and the replacement or addition of doctors, identifying potential problems such as drug interaction issues, cross-referencing relevant medical events and suggesting the enforcement of narcotics policies.

However, concerns over data privacy are being voiced and even some of those working on Project Nightingale have raised doubts (anonymously). One even posted a video on social media containing hundreds of images of confidential files and started the video with the words: "I must speak out about the things that are going on behind the scenes."

One of the concerns raised is the fact that data is being transferred without the knowledge (and therefore, permission) of doctors and patients. Google says what they are doing is fully compliant with HIPAA (Health Insurance Portability and Accountability Act of 1996) regulations, but another concern is that the data, which contains full personal details including name and medical history, can be viewed by Google employees.

"A limited number of Google employees have been approved by Ascension to potentially handle PHI (protected health information)," said Google in a blog. The Wall Street Journal reports that "at least 150 Google employees already have access to much of the data on tens of millions of patients." (Around 300 people - half from Google and half from Ascension - are working on Project Nightingale)

Google further stated that their work with Ascension "adheres to industry-wide regulations (including HIPAA) regarding patient data, and come with strict guidance on data privacy, security and usage. We have a Business Associate Agreement (BAA) with Ascension, which governs access to Protected Health Information (PHI) for the purpose of helping providers support patient care ... Ascension's data cannot be used for any other purpose than for providing these services we’re offering under the agreement, and patient data cannot and will not be combined with any Google consumer data."

Ascension released its own statement: "All work related to Ascension’s engagement with Google is HIPAA compliant and underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling."

The HIPAA allows medical providers to share protected health information (PHI) data with business partners without the consent of the data's 'owner'. This is done via a Business Associate Agreement (BAA), which says data can't be used for anything other than the specific services outlined in the the agreement.

But why is Google handling the data of Ascension's 50 million customers?

In July, Google announced that Google Cloud's AI and ML solutions were helping "improve the healthcare experience and outcomes" of healthcare organizations. Google's work with Ascension involves providing it with the latest technology, similar to what Google does other healthcare providers, the data of which is managed under strict privacy and security standards.

Among other things, Google says the partnership will modernize Ascension’s infrastructure, enhance its employees’ ability to communicate and collaborate securely in real time, and provide tools to support improvements in clinical quality and patient safety.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.

Get weekly security news and vulnerability alerts

Join 916 others receiving a free weekly report with a round-up of vulnerabilities and security news customised to your software stack. See an example email

Example email for SecAlerts

Earlier: