Project Nightingale (2020 List)

Does Google have your medical data?

Project Nightingale was announced in November of this year and raised approximately one round of panic before the news cycle moved onto the next big thing. But just because it’s not on the front page doesn’t mean it’s gone away (and just because the project could start in the U.S. doesn’t mean it’s irrelevant to the rest of the world).

First, let’s start with Ascension, the Catholic health care system that also happens to be the second-largest in the United States. With roughly 2,600 hospitals, doctors’ offices and other related facilities spread over 21 states, it holds tens of millions of patient records – and these records have comprehensive health information on millions of Americans. It’s a valuable resource for anyone wanting to do health research.

Then along came Google, a company that has had a rough few years PR-wise and has largely lost the public’s trust (even as we continue to use it every day). When it was announced that Google was developing software to compile, store and search medical records and that both companies had signed a Health Insurance Portability and Accountability Act (HIPAA) agreement, the goal was clear – Ascension was going to transfer the health records to the Google Cloud.

Now, as far as we know, the agreement states that Google can’t do anything with these records other than provide services to Ascension. But when The Wall Street Journal first brought the partnership, dubbed “Project Nightingale” to light in November of 2019, they also reported that neither doctors nor patients had been informed of what was happening with these records and that roughly 150 Google employees had access to the data.

In the best of circumstances, these employees are trustworthy people, the records are well protected by a powerful tech company, and what comes out of Project Nightingale will be new insight into human health that benefits us all.

But the way consumers found out and the fact that it wasn’t a transparent process naturally raised some suspicions, especially in the privacy arena. In fact, these suspicions still exist since most of what we know comes from anonymous insiders. Those insiders also report that Ascension employees have expressed concern over some of the ways Google intends to handle the data, claiming that it is not HIPAA-compliant. Google denies this.

Google Cloud exec Tariq Shaukat has promised that patient data gathered from the project will not be combined with any Google customer data, and standard legal agreements about medical data sharing generally prohibit the use of this kind of data for other purposes. But Google has had its fair share of controversies when it comes to medical data. Take, for example, the project known as DeepMind, which spawned an AI-powered diagnosis app called Streams that illegally held over 1.6 million patient records. Or the lawsuit faced by Google and the University of Chicago Medical Center after a collaboration on patient records that the Center did not get consent to share.

It’s important to remember that other large tech companies – such as Microsoft and Apple – are also launching health projects. But this only raises more questions about what right we have to our own healthcare data and how it’s used.

If we’ve learned anything over the last decade, it’s that secure data can be hacked and anonymized data can be de-anonymized. So this raises an important question – what could possibly go wrong? And we’re about to find out since the partnership has now triggered a federal inquiry.

Further reading: