Olly Curtis / Future Publishing/Shutterstock

Google collects health data of millions with secret “Project Nightingale”

Google holds more of your data than just about any other company, including Facebook. It knows your online browsing activity, your spending habits and a plethora of personal information about you — and now it seems Google's coming for your health data, too. According to a report from the Wall Street Journal, Google has been secretly building out an initiative intended to collect and analyze the health records of millions of Americans.

The project, which is known inside Google as Project Nightingale, has the search giant teaming up with Ascension, the second-largest health system in the United States. Through the partnership, Google has reportedly been gaining access to information including lab results, doctor diagnoses and hospitalization records. On top of that, the company has also gathered details about each patient's complete health history as well as identifying information like the patient's name and date of birth. According to the Wall Street Journal, the company has already managed to collect millions of health care records from hospitals spanning 21 states — though neither doctors nor patients have been told that the data is being shared with Google. Despite this, as many as 150 Google employees have reportedly been given access to the data.

If that all seems a bit shady, that's because it is — but it doesn't appear to be illegal. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 gave hospitals permission to share data with companies that it has a business relationship with, assuming the information is used to "help the covered entity carry out its health-care functions." What role Google plays in helping Ascension isn't entirely clear, though the company told WSJ that Project Nightingale is fully compliant with federal health laws and is designed to protect patient data. According to the report, the initiative is meant to help design new software that utilizes machine learning and artificial intelligence to help suggest changes to a patient's care — perhaps similar to the type of service that IBM theorized with its Watson AI, though it has largely underachieved in actually providing the type of improved care and medical analysis that had been promised.

Google has certainly been showing an increased interest in health data recently. The company just spent $2.1 billion to acquire Fitbit in large part to gain access to the health and fitness data belonging to the more than 28 million active users. Those little fitness trackers contain way more than just the number of steps a person takes — user profiles contain a person's gender and date of birth, as well as other bits of information like location, heart rate, sleep habits and more. With that brand in Google's portfolio, the company has a huge amount of data that it can crunch, synthesize and spit out for any number of purposes — from helping to train algorithms like those that may be in use in Project Nightingale to offering heavily targeted advertising based on a person's activities.

This increased interest in health data comes with the backdrop of Google's previous alleged reckless handling of such information. From 2009 to 2016, the company was given access to University of Chicago Medicine patient data in order to help develop new AI tools designed to aid in diagnoses and care. A lawsuit filed this year claimed that the company mishandled that data, failing to completely anonymize the information and potentially exposing patients, including those with sensitive information in their health histories. The suit claims that data from devices belonging to patients could be combined with other information to identify an individual, which is troubling for any person who may have had their medical status exposed. And it's not the first instance of the company coming under fire for its handling of sensitive medical data. In 2015, Google subsidiary DeepMind agreed to develop apps for doctors and nurses as part of a partnership with the United Kingdom's National Health Service (NHS). To help develop those programs, Google received access to patient records, which a U.K. data watchdog claimed the company mishandled. According to the Information Commissioner's Office (ICO), Google "failed to comply with data protection law" and the agreement between NHS and the company failed to properly inform patients of how their information would be accessed and used.

Tech companies have shown increased interest in health care in recent years, with Amazon, Apple and Microsoft all attempting to offer their technology to process health records and medical information. But new protections — and ways to enforce those rules — need to be explored before giving Big Tech the keys to everyone's health records.