Feds Launch Probe Into Project Nightingale, Which Secretly Gave Google Access to Americans' Medical Data

Google's massive move into the medical information field known as Project Nightingale may be creating a database of patient information that is not compliant with the Health Insurance Portability and Accountability Act (HIPAA) and which does not require the consent of patients to release their personal information, according to multiple sources. Not only has a whistleblower posted a video online that raises questions about the ethics and legality of Project Nightingale, but a federal probe into the project has been announced.

Project Nightingale is a collaboration between Google and the second largest health care provider in the U.S., Ascension. Information, already accessible by Google staff, has not been edited to remove identifying pieces of personal information, such as names and medical histories, according to The Guardian.

Ascension, which employs 34,000 providers across 21 states, has not informed their patients or doctors about the data sharing, according to Ars Technica.

"As the healthcare environment continues to rapidly evolve, we must transform to better meet the needs and expectations of those we serve as well as our own caregivers and healthcare providers," said Ascension Executive Vice President of Strategy and Innovations Eduardo Conrado in a statement. "Doing that will require the programmatic integration of new care models delivered through the digital platforms, applications, and services that are part of the everyday experience of those we serve."

In a blog post updated November 12, President of Industry Products and Solutions for Google Cloud Tariq Shaukat said Project Nightingale's aims are threefold. Ascension's infrastructure will be shifted to the cloud, which will allow Ascension employees to use G Suite tools and allow medical professionals to improve levels of the quality of patient care and safety.

Google also said Project Nightingale is in full compliance with HIPAA.

HIPAA, confidential data, medical,
Project Nightingale is the subject of a federal probe into whether or not the medical data collection partnership between Google and health care provider Ascension violates HIPAA laws. Getty

"In accordance with HIPAA and the BAA we sign with our customers," Shaukat wrote, "patient data cannot be used for any other purpose than for provisioning the tools specific to the customer. Google ensures that the data is kept securely in accordance with the product's HIPAA obligations and ISO certification."

"We believe Google's work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and comes with strict guidance on data privacy, security, and usage," Shaukat added.

But the whistleblower raised their own concerns about Project Nightingale with their video, which shows notes and schedules from meetings about the project.

"Google desires to use the data, mine it and write algorithms based on patient data," the video said. "In addition, Google seeks to use the data to build their own products which can be sold to third parties. They can build many products using patient data and one such product is 'Google Health Search.'"

The whistleblower describes Google Health Search as "basically like the Google search we all have come to use to search what movies are coming out soon or to find answers but this time it's used to find patients information."

"Most Americans would feel uncomfortable if they knew their data was being haphazardly transferred to Google without proper safeguards and security in place," the anonymous whistleblower said in an interview. "Do you want your most personal information transferred to Google? I think a lot of people would say no."

Federal inquiries into Project Nightingale will be handled by the Office for Civil Rights in the Department of Health and Human Services, which "will seek to learn more information about this mass collection of individuals' medical records to ensure that HIPAA protections were fully implemented," said Director Roger Severino according to CNET.