33 votes

I'm the Google whistleblower. The medical data of millions of Americans is at risk

14 comments

  1. [2]
    patience_limited
    Link
    It is with deep disgust that I'll advise you Google's access to U.S. patients' medical records is by no means unique, even in scope. A wide range of companies are granted full visibility into your...

    It is with deep disgust that I'll advise you Google's access to U.S. patients' medical records is by no means unique, even in scope.

    A wide range of companies are granted full visibility into your medical records, complete with personal identification. This access takes place via system APIs and HL7 interfaces, remote access, or mailed and faxed copies.

    Most medical practices and hospitals outsource or use third-party systems for insurance verification, billing, collections, disability qualification, and other activities. Patients are asked to sign a general records release form, which doesn't specify the companies that will handle their information.

    Under the U.S. HIPAA law, all of the parties which can access your records have to sign Business Associate Agreements. These agreements basically say they'll use your records only for the contracted purpose your healthcare provider designated, and not share them with anyone else.

    HIPAA has very steep penalties for sharing or leaking data outside the scope of the agreement. However, it doesn't have a great deal to say about what providers and third parties can agree to use the data for, as long as it's considered to be agreed upon in a contract. Patients don't have any insight into those contracts, and there's no obligation to consider patients' benefit.

    For instance, a hospital system could use a third party to aggregate patients' billing/collections data, demographics, and diagnosis codes to develop an improved algorithm for charging the maximum amount which will be repaid, or to market premium/elective services to the most affluent patients.

    It's certainly conceivable that Google could help optimize delivery of the most cost-effective, humane treatment to the broadest possible population. But if there was any marketplace incentive for that, we'd have national healthcare already.

    14 votes
    1. Gaywallet
      Link Parent
      This is what they've been doing for quite some time now. There are laws (and penalties) which prevent them from up-charging patients. This is simply a way to ensure that they are charging patients...

      a hospital system could use a third party to aggregate patients' billing/collections data, demographics, and diagnosis codes to develop an improved algorithm for charging the maximum amount which will be repaid, or to market premium/elective services to the most affluent patients.

      This is what they've been doing for quite some time now. There are laws (and penalties) which prevent them from up-charging patients. This is simply a way to ensure that they are charging patients appropriately for what was done to them during the hospital stay. The reality is there's no difference between this and raising rates across the board except that collective bargaining is an outside pressure to prevent them from doing so (a side note - this is also an argument for why national healthcare is important).


      The points you bring up are absolutely important to anyone who does not have any insight into health care because they have not yet been exposed to the troublesome web that is health care law. However, there are some practical limitations to what kind of uses someone like Google will get out of a partnership with a health care organization.

      The reality is that a healthcare organization is not going to sign a business agreement with Google allowing Google to use the data for any sort of patient care for a variety of reasons. First and foremost, Google probably doesn't employ enough health care lawyers to begin to navigate health care law. Secondly, Google doesn't currently employ any practicing physicians (at least in the bay area, they contract all their in-house medical). Thirdly, a health care organization is not going to be willing to directly benefit a competitor, especially one with so much capital and the ability to drastically change the medical field. Finally, given that these business agreements are designed for a specific use case, I find it unlikely that Google or anyone else is going to be able to come up with a reason that they need to see nearly any clinical data on a patient (you can perhaps make an argument for financial data and what was billed, giving them some insight into patient care) and this severely limits the scope of what can be done with health data.

      I expect, instead, that what we will see out of large tech companies attempting to enter the health care field is that they will focus on consumer facing products first - people who are already engaged with their health because it is a major part of their life. They likely will also serve ancillary services like perhaps providing additional risk modeling to insurance companies (this is what I'm most worried about, given the repeal of obamacare) or to companies which offer healthcare for their employees.

      There's certainly a lot to be potentially worried about, but it's also not exactly the wild west when it comes to health care data. In the US we actually do have a good amount of protections on health care data (including, thankfully, requirements and recommendations on how to store and send said data in a secure fashion). You are right, however, to bring up that we should expand these protections before the data are abused.

      4 votes
  2. [6]
    Surira
    Link
    HOLY CRAP! Did anyone get the popup asking you to share cookies and all sorts of information? I clicked "No" on all of them, then wanted to check the Vendors tab, and I think there were about 500...

    HOLY CRAP! Did anyone get the popup asking you to share cookies and all sorts of information? I clicked "No" on all of them, then wanted to check the Vendors tab, and I think there were about 500 ad companies they work with. So effing shady. The Guardian is putting your data at risk too.

    7 votes
    1. [4]
      cwagner
      Link Parent
      I did not. Get uBlock Origin and if you care enough to put some effort in, also get uMatrix (this requires more fiddling to make most sites work as it blocks all 3rd party scripts by default). The...

      I did not. Get uBlock Origin and if you care enough to put some effort in, also get uMatrix (this requires more fiddling to make most sites work as it blocks all 3rd party scripts by default). The situation is sadly the same for almost all big websites.

      11 votes
      1. [3]
        Surira
        Link Parent
        I have uBlock Origin and it still came up

        I have uBlock Origin and it still came up

        1 vote
        1. firstname
          Link Parent
          I myself run Firefox with the maximum security settings, HTTPS everywhere, DuckDuckGo privacy essentials, Decentraleyes, UblockOrigin and Privacy Badger as my addons. Even though i use all these...

          I myself run Firefox with the maximum security settings, HTTPS everywhere, DuckDuckGo privacy essentials, Decentraleyes, UblockOrigin and Privacy Badger as my addons. Even though i use all these addons i don't think it makes a huge change. Allthough, adding a few more addons is not a bad idea, and i can recommend all of these. The more the better imo, as long as the surfing is smooth and all the websites i use work properly.

        2. cwagner
          Link Parent
          I guess it was uMatrix that blocked it then ;)

          I guess it was uMatrix that blocked it then ;)

    2. Wendigo
      Link Parent
      I'm really sorry! I'm on mobile and didn't have any sort of pop ups.

      I'm really sorry! I'm on mobile and didn't have any sort of pop ups.

      3 votes
  3. [6]
    mieum
    Link
    Does anyone have an idea about what this whole project is actually for? I don't mean to be the cynic, but the lack of transparency makes me wonder if this could have something to do with their...

    Does anyone have an idea about what this whole project is actually for? I don't mean to be the cynic, but the lack of transparency makes me wonder if this could have something to do with their contracts with the military?

    5 votes
    1. [5]
      Wendigo
      Link Parent
      https://www.wsj.com/articles/google-s-secret-project-nightingale-gathers-personal-health-data-on-millions-of-americans-11573496790 Here this article goes into more detail about the project
      7 votes
      1. [4]
        mieum
        Link Parent
        Thank you :) I have to find a way around that paywall though.

        Thank you :) I have to find a way around that paywall though.

        2 votes
        1. [3]
          nacho
          Link Parent
          Journalism is worth paying for if you want to stay informed. If we rely on journalism to be free, we have to accept lower quality, intrusive ads and that we are not the ones financing reporting....

          Journalism is worth paying for if you want to stay informed.

          If we rely on journalism to be free, we have to accept lower quality, intrusive ads and that we are not the ones financing reporting. That means there are other interests at play for what is reported, what is not and how it is reported than if we as news readers are the ones paying reporters' bills.

          I'd say WSJ is definitely one of the publications its worth paying for.

          6 votes
          1. Keegan
            Link Parent
            Yeah it's a good site but not everyone can afford it tbh.

            Yeah it's a good site but not everyone can afford it tbh.

            3 votes
          2. mieum
            Link Parent
            I understand what you are saying, and I know WSJ is a reputable, quality source. I do disagree about it being free from other interests simply because it is subscription-based.

            I understand what you are saying, and I know WSJ is a reputable, quality source. I do disagree about it being free from other interests simply because it is subscription-based.