San Francisco-based tech giant, Google, is once again in the center of a class action lawsuit together with the University of Chicago Medical Center with what is likely “the greatest heist of consumer medical records in history.”
The class-action lawsuit, filed at the United States District Court for the Northern District of Illinois, Eastern Division, by Matt Dinerstein in behalf of the affected patients, is seeking for appropriate damages and an injunction to halt the continued operations of the project between Google and the University of Chicago.
University of Chicago shared EHR to Google
The lawsuit alleges that the University of Chicago lends its patient database to a Google project that uses data from patients’ electronic medical records to try to make better predictions and advance artificial intelligence in medicine.
In the process, the university shared the sensitive medical information of patients without their consent to a third party. This data, the lawsuit said, is not “just run-of-the-mill like credit card numbers, usernames, and passwords, or even social security numbers, which nowadays seem to be the subject of daily hacks; rather, the personal medical information obtained by Google is the most sensitive and intimate information in an individual’s life, and its unauthorized disclosure is far more damaging to an individual’s privacy.”
“Beginning in 2017, Google set in motion a plan to make its most significant play in the healthcare space. This plan had two key components: (1) obtain the Electronic Health Record (“EHR”) of nearly every patient from the University of Chicago Medical Center from 2009 to 2016; and (2) file a patent for its own proprietary and commercial EHR system that wouldn’t be published until well after it had obtained hundreds of thousands of EHRs from the University,” reads the 43-page court document obtained by Z6Mag.
The EHR included data of patients such as person’s height, weight, and vital signs, and other highly sensitive and confidential information like whether they suffer from diseases like AIDS, cancer, sickle cell, depression, sarcoidosis, or diabetes, or if they went through a medical procedure like an abortion, transplant, or mastectomy.
“In short, EHRs are the most personal and sensitive information that exists about a person,” the lawsuit said.
The court filing alleges that the University of Chicago Medical Center shared the data despite its obligation to safeguard the confidential health-related data of its patients. It also promised in its admission form that the hospital would not disclose any information to third-parties for commercial purposes.
Furthermore, the university also failed to notify its patients, not asked consent, before turning over their confidential medical records to Google.
“The University provided Google a partner willing to turn over the information that it desperately needed. Indeed, the University—seeking not much more than notoriety for its collaboration with Google in the development of healthcare products—was happy to turn over the confidential, highly sensitive and HIPAA-protected records of every patient who walked, through its doors between 2009 and 2016. Ultimately, by getting the University to turn over these records, Google quietly pulled off a feat that other tech giants (like Facebook) have had to abandon under mounting public pressure for other gross privacy violations,” reads the document.
The University of Chicago covered up the data breach
To make matters worse, the class-action alleges that the University is also involved in covering up the fact to “avoid public backlash.”
“The cover-up is particularly egregious because the University had a legal duty to inform its patients and the authorities of the unauthorized transfer of their medical records to Google. While this type of public misinformation campaign may be expected from a tech company that has been known to play fast and loose with the information of its customers, the fact that a prominent institution like The University of Chicago would act in such a way is truly stunning,” it added.
Dinerstein and the class is suing Google and University of Chicago Medical center for violations of The Illinois Consumer Fraud and Deceptive Business Practices Act, 815 ILCS 505 (“ICFA”), which protects both consumers and competitors by promoting fair competition in commercial markets for goods and services.
The plaintiff also wants the involved entities to be liable for breach of and tortious interference with contract, intrusion upon seclusion, and unjust enrichment.