A former University of Chicago medical patient filed a class-action lawsuit against the University of Chicago and Google, claiming that the University of Chicago Medical Center is giving private patient information to the tech giant without patients' consent.
About two years ago, the university medical center partnered with Google with the hope of identifying patterns in patient health records to help predict future medical issues.
Now, former patient Matt Dinerstein is filing a lawsuit on behalf of the medical center’s patients, alleging that the university violated privacy laws by sharing sensitive health records with Google from 2009 to 2016, aiding Google’s goal of creating a digital health record system, according to the Chicago Maroon.
The suit alleges that the university deceived its patients by telling them that their medical records would be protected, but ultimately violated the Health Insurance Portability and Accountability Act (HIPAA), a federal law that ensures privacy and security for personal medical data. It also claims that UChicago violated state laws in Illinois that makes it illegal for companies to participate in dishonest client practices.
The complaint details Google’s alleged two-part plan: obtain the Electronic Health Record (EHR) of almost every patient at the UChicago Medical Center, then use the information to create its own lucrative commercial EHR system.
“While tech giants have dominated the news over the last few years for repeatedly violating consumers’ privacy, Google managed to fly under the radar as it pulled off what is likely the greatest heist of consumer medical records in history,” the complaint stated.
“The compromised personal information is not just run-of-the-mill like credit card numbers, usernames and passwords, or even social security numbers, which nowadays seem to be the subject of daily hacks.”
“Rather, the personal medical information obtained by Google is the most sensitive and intimate information in an individual’s life, and its unauthorized disclosure is far more damaging to an individual’s privacy.”
Dinerstein’s lawsuit claims that EHRs contain patient information ranging from height and weight to diseases they carry such as AIDS or diabetes and medical procedures they have undergone.
The medical records include the demographics of patients, along with their diagnoses, prescribed medicine, and past procedures, the lawsuit alleges. According to the Department of Health and Human Services, HIPAA protects patients' "individually identifiable health information," which includes "demographic data, that relates to...the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual."
“The disclosure of EHRs here is even more egregious because the University promised in its patient admission forms that it would not disclose patients’ records to third parties, like Google, for commercial purposes,” the lawsuit continued. “Nevertheless, the University did not notify its...