SAN FRANCISCO — When the University of Chicago Medical Center announced a partnership to share patient data with Google in 2017, the alliance was promoted as a way to unlock information trapped in electronic health records and improve predictive analysis in medicine.
On Wednesday, the University of Chicago, the medical center and Google were sued in a potential class-action lawsuit accusing the hospital of sharing hundreds of thousands of patients’ records with the technology giant without stripping identifiable date stamps or doctor’s notes.
The suit, filed in the United States District Court for the Northern District of Illinois, demonstrates the difficulties technology companies face in handling health data as they forge ahead into one of the most promising — and potentially lucrative — areas of artificial intelligence: diagnosing medical problems.
Google is at the forefront of an effort to build technology that can read electronic health records and help physicians identify medical conditions. But the effort requires machines to learn this skill by analyzing a vast array of old health records collected by hospitals and other medical institutions.
That raises privacy concerns, especially when it comes from a company like Google, which already knows what you search for, where you are and what interests you hold.
In 2016, DeepMind, a London-based A.I. lab owned by Google’s parent company, Alphabet, was accused of violating patient privacy after it struck a deal with Britain’s National Health Service to process medical data for research.
The group inside DeepMind that acquired the data from National Health Service has since been transferred to Google, which has raised additional complaints from privacy advocates in Britain. DeepMind had previously said that data would never be shared with Google. In absorbing DeepMind’s health unit, Google said it was building “an A.I.-powered assistant for nurses and doctors.”
Google’s alliance with the University of Chicago mirrored other partnerships that the company struck to obtain electronic health records from other hospitals, including the University of California, San Francisco and Stanford University.
But the deal with the University of Chicago medical center violated patient privacy, the lawsuit claims, because those records also included date stamps of when patients checked in and checked out of the hospital.
In a research paper published by Google last year about “Scalable and Accurate Deep Learning for Electronic Health Records,” the company said it used electronic health record data of patients at the University of Chicago Medicine from 2009 to 2016.
The records included patient demographics, diagnoses, procedures, medication and other data. The paper states that the records were “de-identified,” except that “dates of service were maintained.” The paper also noted that the University of Chicago provided “free-text medical notes” that had been de-identified.
Under the Health Insurance Portability and Accountability Act, the federal regulation that protects patients’ confidential health data, medical providers are permitted to share medical records as long as the data is “de-identified.”
To meet the Hipaa standard, hospitals must strip out individually identifiable information like the patients’ name and Social Security number as well as dates directly related to the individual, including admission and discharge dates.
The lawsuit said the inclusion of dates was a violation of Hipaa rules in part because Google could combine it other information it already knew, like location data from smartphones running its Android software or Google Maps and Waze, to establish the identity of the patients in the medical records.
“We believe that not only is this the most significant health care data breach case in our nation’s history, but it is the most egregious given our allegations that the data was voluntarily handed over,” said Jay Edelson, founder of Edelson PC, a law firm that specializes in class action lawsuits against technology companies for privacy violations.
The lawsuit, filed on behalf of Matt Dinerstein, who stayed at the University of Chicago Medical Center on two occasions in June 2015, did not offer evidence that Google misused the information provided from the medical center or made attempts to identify the patients.
The complaint accuses the university of consumer fraud and fraudulent business practices because it never received express consent from patients to transfer disclose medical records to Google. In a privacy agreement, the university said it would keep medical information confidential and comply with Hipaa regulations. The lawsuit also accuses Google of unjust enrichment.
Stacey A. Tovino, a health law professor at the University of Nevada, Las Vegas, said Hipaa was enacted in 1996 before the technology industry started collecting vast amounts of personal information.
That has made the regulations outdated because the idea of what information is considered individually identifiable has changed with advances in technology.