Paging Doctor Google… Doctor Google, Please Report “Everywhere”.

Initially reported by the Wall Street Journal and corroborated by the New York Times, Google and health care provider Ascension (the second-largest managed health system in the U.S.) initiated “Project Nightingale” last year in the shadows of ominous secrecy. Data sharing between the two organizations has been steadily increasing since summer 2019. Supposedly the objective is an effort to crunch patient data to improve health care treatment and administration. Ascension is a St. Louis-based, Catholic Heath Care System consisting of over 2,600 hospitals, Doctor’s Offices, and other facilities throughout the United States.

Patient data being shared includes, but is not limited to: Full Name, Date of Birth, Address, Social Security Number, Insurance Information, Payment History, Place of Employment, Emergency Contact Information, Family Members, Family Medical History, Allergies, Immunizations, Radiology Scans, Hospitalization Records, Lab Tests, Medications, and all known Medical Conditions. As data flows into “Project Nightingale”, the system may suggest: treatment plans, suggested tests, and replacement or additional doctors to the patient’s care team. Furthermore, the “Project Nightingale” system will flag unusual deviations in care, allow for additional enforcement of narcotics policies, and also suggest that Ascension bill the patient more money for certain procedures.

What is most alarming, is that Ascension and Google can share this data completely in secret without much, if any, oversight. Neither the patients nor the patient’s doctors were notified of the data sharing between the two entities. What’s even worse, is that it’s all perfectly legal under current HIPAA regulations. HIPAA, is the Health Insurance Portability and Accountability Act of 1996, that was created to maintain the privacy and security of OUR medical data. However, there’s a giant loophole in HIPAA that allows hospitals to share data with “Business Partners” without telling patients, as long as the information is used “only to help the covered entity carry out its health care functions.”

As a general rule, technology has enhanced our lives and driven us forward to amazing discoveries. However, Google has an established track record of how they manipulate data and the number of times they’ve been breached through their various platform offerings. In light of all of this, we really have to ask whether Google is fit be the “Trusted Custodian” of this level of sensitive Personally Identifiable Information?

Sources

Wall Street Journal
https://www.wsj.com/articles/google-s-secret-project-nightingale-gathers-personal-health-data-on-millions-of-americans-11573496790?mod=hp_lead_pos1

Department of Health & Human Services
https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

Ars technica
https://arstechnica.com/science/2019/11/would-you-trust-google-with-your-medical-records-it-might-already-have-them/

The Verge
https://www.theverge.com/2019/11/11/20959771/google-health-records-project-nightingale-privacy-ascension

Slashgear
https://www.slashgear.com/project-leak-claims-google-is-collecting-millions-of-health-records-11599246/

Business Wire
https://www.businesswire.com/news/home/20191111005613/en/Ascension-Google-working-healthcare-transformation/

Ascension
https://healthcare.ascension.org/

Ready to have a conversation?

We would really love to hear from you! Give us a call at 608-563-1975 or fill out the form below to start working with our team.

Fill out my online form.

Why Attacks on Critical Infrastructure Are Dangerous
Critical Infrastructure (CI) comprises physical and cyber assets vital for the smooth …
4 Reasons Cybersecurity Attack Surfaces Are Expanding
The COVID-19 pandemic impacted individuals and businesses all over the world in …
How Can Cyber Resilience Protect SMBs?
Small and Medium Businesses (SMBs) usually invest less in cybersecurity, making them …
How to Build a Security-First Culture That Empowers Your Hybrid Workforce
Tools are only as good as their users. This should be your …
Top 9 IoT-Related Security Threats Businesses Face
The Internet of Things (IoT) is rapidly changing the technology landscape as …
All You Need to Know About Least Privilege
In IT, the principle of least privilege (PoLP) refers to the concept …
Kaseya VSA Ransomware attack
We at ITNS Consulting would like to commend Kaseya for their amazing …
Your Biggest Cybersecurity Risk: Your Untrained Employees
Cybercriminals work round the clock to detect and exploit vulnerabilities in your …