A whistleblower recently revealed that, in a venture codenamed “Project Nightingale,” Google has been gathering data on tens of millions of patients in 21 states who use the St. Louis-based Ascension health care system, without doctors or patients knowing about it. However, it’s not clear that Google isn’t allowed to do that under the current system:

But Google tells The Verge that despite the surprise, it’s standard industry practice for a health care provider to share highly sensitive health records with tech workers under an agreement like the kind it signed — one that narrowly allows Google to build tools for that health care provider by using the private medical data of its patients, and one that doesn’t require patients to be notified, the company claims.

A spokesperson challenged the idea that Google has been secretly gathering the health records of millions of Americans, saying the only purpose of such an agreement is to provide services back to the health care provider, and that it didn’t announce it was doing so earlier because work was in the very early stages.

Mary Beth Griggs, “Google reveals ‘Project Nightingale’ after being accused of secretly gathering personal health records” at The Verge

Google, Amazon, and Apple are all competing for a lucrative share in the health care market in
aging, First World nations. The giant data vacuum is usually sold to the public as a benefit, in this case to move the data to Google’s Cloud. But in some sources a less benign picture emerges:

“Google is secretly transporting data to its own servers without patient knowledge or consent,” the whisteleblower claims in the video.

The video goes on to explain that the project has four stages. The first two move patient data, with patients’ names, to Google’s cloud.

During stage three, Google uses Ascension’s data to build a framework in the cloud. Then during stage four, Google will mine Ascension’s patient information to run analytics and AI algorithms, sell or share data with third parties, and create profiles of patients that can be used for ads targeted to the patients’ healthcare issues.

John P. Mello Jr., “‘Nightingale Project’ to Turn Over Millions of Medical Records to Google” at TechNewsWorld

The whistleblower’s claim, if true, is hardly surprising. People who are known to have specific health issues are, in sales terms, a “highly qualified” market. For example, people whose health profiles show diabetes risk are more likely to be interested in sugar-free products and glucose meters than people whose profiles show minimal risk. Some products marketed to patients may even be paid for by a health care plan, which greatly reduces sales resistance.

Many Google employees are said to have access to the data, which includes “The collected data includes patient names, date of birth (DOB), lab results, doctor diagnoses and hospitalization records to provide a complete health history”:

Google has been working with Ascension on this data collection initiative, code-named “Project Nightingale” since last year and reports at least 150 Google employees already have access to much of the data on tens of millions of patients, according to a person familiar with the matter and the documents.

Fred Pennic, “Google’s ‘Project Nightingale’ with Ascension Has Been Secretly Collecting Millions of Patient Records” at HIT Consultant

The larger the group with access, the easier infiltration would be, with the inevitable risk of data theft. Then Google might not even be the only firm with access to data once thought to be private.

The whistleblower originally posted a video on the Daily Motion social media platform of many confidential Nightingale files:

The whistleblower introduces the video with the words: “I must speak out about the things that are going on behind the scenes.”

Among the documents are the notes of a private meeting held by Ascension operatives involved in Project Nightingale. In it, they raise serious concerns about the way patients’ personal health information will be used by Google to build new artificial intelligence and other tools.

Ed Pilkington, “Google’s secret cache of medical data includes names and full details of millions – whistleblower” at The Guardian

It’s not as though there haven’t been problems in the past:

Google and its parent company, Alphabet, have faced scrutiny for some of its past healthcare partnerships. This summer, a University of Chicago patient sued Google and the university, alleging that they improperly shared patient data for research that used artificial intelligence to predict future medical events. Google and the University of Chicago both denied any wrongdoing.

In 2016, Alphabet’s artificial intelligence unit, Deepmind, came under fire for obtaining patient medical records from the U.K.’s National Health Services without proper patient consent. The company admitted mistakes and redrew its contracts.Privacy advocates were rankled further, however, last fall when Deepmind Health announced plans to merge with Google, reversing the company’s past pledges to keep its health work separate.

Jillian D’Onofro and Leah Rosenbaum, “Google Secretly Tests Medical Records Search Tool On Nation’s Largest Nonprofit Health System, Documents Show” at Forbes

Google’s proposed acquisition of Fitbit has only sharpened concerns around mass accumulation of health data.

At the COSM conference last month, a health technology expert, perhaps unintentionally, focused attention on the precise problem that health advocates worry about: Machines will soon know better than your doctor. Well, maybe not better, just more.

An underlying issue is that we don’t own our health data and it’s not always clear who does or should. Another increasing concern is that health algorithms can be clumsy at best, like the one that greatly underestimated African American health care needs because cultural clues were not part of the mix.

But the biggest question coming into focus is whether traditional patient confidentiality protection really works in the age of the internet. As to what changes are needed and who will sponsor them, both Sen. Amy Klobuchar and Sen. Josh Hawley, on opposite sides of the aisle, are watching the file. The latest word is that Google is facing (another) federal probe over this the issue. So perhaps some of the senators’ constituents are watching the file bulge too.

The $60 billion-dollar medical data market is coming under scrutiny As a patient, you do not own the data and are not as anonymous as you think.

Former Microsoft head of research: Machines will soon know better than your doctor. Other experts at the COSM Technology Summit were skeptical of Craig Mundie’s claims

See also: Your phone knows everything now. And it is selling your secrets