Google is facing another privacy issue after a whistleblower revealed that it has been secretly receiving millions of private user health records from its partner health care provider, Ascension. According to the whistleblower, under the venture dubbed Project Nightingale, Ascension transfers up to 50 million private patient health records from 21 states to Google without the knowledge or consent of the patients.

These include user data such as full personal details, laboratory results, diagnoses and hospitalization records that up to 150 Google staff then have access to. What’s more, the report claims that unlike other data transfers in which the users are de-identified to make them anonymous, under Project Nightingale, Google staff can see the patients’ full personal details including their names and dates of birth.

In a video posted on Daily Motion, the whistleblower claims that Google can mine patient information from the data they receive to sell or share with third-party partners, and can also create user profiles so they can later serve advertisements specific to the users' healthcare needs.

Google logo
A man walks past the logo of the US multinational technology company Google. Alain Jocard/AFP/Getty Images

Project Nightingale is so far said to be the largest data transfer in healthcare, especially since Ascension is one of the largest healthcare providers in the United States, with a Catholic network of 2,600 hospitals, medical outlets, and clinics.

In response to the whistleblower claims, Google and Ascension have both released statements on Project Nightingale, explaining that the project’s goal is to enhance the delivery of healthcare through modern tools, thereby improving patient and consumer experience.

According to Ascension, using Google tools such as G Suite will enhance communication and collaboration in real-time, while AI and machine learning applications can support improvements in patient experience and clinical quality.

“All work related to Ascension's engagement with Google is HIPAA compliant and underpinned by a robust data security and protection effort and adherence to Ascension's strict requirements for data handling,” the Ascension statement notes, without directly addressing the whistleblower claims.

As for Google, the company faced the controversy head-on. In its statement, Google states that its partnership with Ascension is merely a business arrangement to provide Ascension with the latest technology, with the main goals of moving Ascension's infrastructure to the cloud, using G Suite productivity tools, and improving care by extending tools to doctors and nurses.

As for the supposed data transfer, Google explains that the partnership adheres to industry-wide regulations and that the business partnership, which includes access to Protected Health Information, is solely for the purpose of helping to improve patient care.

“To be clear: under this arrangement, Ascension's data cannot be used for any other purpose than for providing these services we're offering under the agreement, and patient data cannot and will not be combined with any Google consumer data,” said Google.

However, it is worth noting that the whistleblower video also leaked Google documents in which annotations suggest that Google might be able to sell or share the data in the future. Further, there is also the important factor of patients not having been notified of the data transfer.

“Patients haven't been told how Ascension is using their data and have not consented to their data being transferred to the cloud or being used by Google. At the very least patients should be told and be able to opt in or opt out,” the whistleblower wrote in the video.