Project Nightingale: How Google is Secretly Collecting Patient Data

An exclusive report by The Wall Street Journal this week exposed a secret initiative by Google to collect the personal information of millions of patients without their knowledge. The secret initiative, named “Project Nightingale,” is a joint venture between Google and Ascension, the second-largest health network in the United States.

Even worse, it could be legal.

What is Project Nightingale?

Project Nightingale was launched secretly last year as a collaboration between Google and Ascension, a Catholic network of over 2,600 hospitals, doctor’s offices, and other health facilities. The deal allows Ascension to share personal, private patient information with Google without notifying patients or doctors that the information is being shared.

So far, it’s estimated that Google has collected detailed information on tens of millions of patients across 21 states. This information divulges extensive personal information, including:

• Name
• Birthday
• Family Members
• Address
• Radiology Scans
• Hospitalization Records
• Lab Tests
• Prescriptions
• Allergies
• Vaccination Records

The project is an attempt for the tech giant to break into the lucrative world of healthcare – something Silicon Valley sweethearts like Apple, Amazon, and Microsoft have already begun to do. But a deal of this magnitude has never been struck before, giving Google a major foothold in the world of patient health data. The news comes in the midst of federal inquiries into the influence major tech companies already have on user data, along with a pending deal for Google to acquire Fitbit.

The $2.2 billion Fitbit deal seemed bold from the start; Google would gain access to personal data on millions of users even as Congress continues antitrust hearings. Now, it turns out that the company facing so much scrutiny over its use of personal data has been tapping into our medical records as well.

The Age of Artificial Medicine

The main goal of Project Nightingale is to gather, store, and sort through a massive amount of patient data to “improve treatment and administration.” Google’s new artificial intelligence programs, or AI, will be showcased along with Google’s cloud, which has been surpassed by competitors Amazon and Microsoft.

What this means is that Google will be collecting personal information on you and your family members, compiling them into one complete patient file, and then making recommendations to your care based on trends or anomalies detected by the AI. According to the WSJ report, these could include:

1. Enforcement of narcotics policies
2. Consolidating and updating billing
3. Suggesting treatment plans and tests
4. Flagging deviations in care
5. Replacing or adding doctors to a patient’s team

For many Americans, this in an exceptionally alarming thought. For those of you who attended our recent Live Event in Anaheim, you already have an idea of what is coming…

As if the collection of your most sensitive personal information by private tech companies wasn’t bad enough, they’ll now be programming a machine to help dictate your care. Forget individualized medicine and patient freedom – Google knows what you need.

We don’t know how this will play out yet. But in a world where patients are routinely persecuted for declining things like flu shots, chemotherapy, and designer drugs, it’s hard to imagine that this will improve patient freedom.

Imagine a system that can flag your file when a cancer diagnosis isn’t immediately followed with surgery and chemo. Imagine a world where integrative doctors can be replaced for not following the standard care procedures. Imagine a system that can track the vaccination records of you, your children, and your extended family!

That world is here. And it’s dangerous.

With Great Power Comes Great Responsibility

According to the report, at least 150 Google employees already have access to the data on tens of millions of patients. Just yesterday, an anonymous whistleblower from inside Project Nightingale spoke out. A video posted on Daily Motion includes hundreds of images showing confidential files relating to Project Nightingale. The video has since been pulled from the site for breaching their Terms of Use.

In an interview with The Guardian, the whistleblower said that employees assigned to Project Nightingale have serious concerns about the secrecy of the data transfer.

Most Americans would feel uncomfortable if they knew their data was being haphazardly transferred to Google without proper safeguards and security in place. This is a totally new way of doing things. Do you want your most personal information transferred to Google? I think a lot of people would say no.”

The whistleblower elaborated:

Patients haven’t been told how Ascension is using their data and have not consented to their data being transferred to the cloud or being used by Google. At the very least patients should be told and be able to opt in or opt out.”

The anonymous employee also published an essay in The Guardian explaining the decision to come forward. The following is an excerpt from that article:

After a while I reached a point that I suspect is familiar to most whistleblowers, where what I was witnessing was too important for me to remain silent. Two simple questions kept hounding me: did patients know about the transfer of their data to the tech giant? Should they be informed and given a chance to opt in or out?

The answer to the first question quickly became apparent: no. The answer to the second I became increasingly convinced about: yes. Put the two together, and how could I say nothing?

So much is at stake. Data security is important in any field, but when that data relates to the personal details of an individual’s health, it is of the utmost importance as this is the last frontier of data privacy.

With a deal as sensitive as the transfer of the personal data of more than 50 million Americans to Google the oversight should be extensive. Every aspect needed to be pored over to ensure that it complied with federal rules controlling the confidential handling of protected health information under the 1996 HIPAA legislation.

And that’s the question everyone seems to be asking: “Is Project Nightingale a violation of the Health Insurance Portability and Accountability Act?”

The Ethics and Legality of Project Nightingale

Despite statements from both Google and Ascension claiming that Project Nightingale adheres to federal regulation, an inquiry is already underway. One day after the secret project was exposed, the Department of Health and Human Services’ Office for Civil Rights opened an inquiry into Project Nightingale.

In a statement to CNN, director Roger Severino said that his office “would like to learn more information about this mass collection of individuals’ medical records with respect to the implications for patient privacy under HIPAA.”

But HIPAA stipulates that they can share data with business partners without telling patients “only to help the covered entity carry out its health-care functions.” Employees working on the project are concerned that this isn’t the case, and they’re not alone.

Ellen Wright Clayton, a professor of biomedical ethics at Vanderbilt University, says that Google would be in violation if they use the data to conduct research that is not directly used for patient care. She goes on to say,

The optics are bad. The legal argument is tenuous. Ethically, this is a bad strategy. They need to tell people what they are doing.”

Google has not yet said if they will run this kind of independent research, and employees are still combing through the copious amounts of data being transferred to the cloud. There’s so much data involved that the transfer won’t be complete until March of next year. It will include data on at least 50 million patients.

No one knows exactly how Google plans to use the data, but we do know that they’ve been careful to run the entire project in secret. Google wants to become the preferred cloud platform for health care providers – and it looks like they’ll do anything to accomplish that goal.

There are questions that need to be answered. Most importantly, is Google violating HIPAA? What are they doing with our information? Is our data protected from employees and hackers who may want to gain access? And most importantly, what will the introduction of Google’s AI mean for medical freedom?

Only time will tell…

We’ll continue to keep you updated as this story unfolds.