
Google's harvest of medical data includes names and full details of millions - hellllllllooo
https://www.theguardian.com/technology/2019/nov/12/google-medical-data-project-nightingale-secret-transfer-us-health-information
======
dragonwriter
If entering into a BAA under HIPAA for work involving PHI is “harvest”, and
you're worried that this reaches “millions” for Google, you probably don't
want to think about the deals public and private firms in the healthcare and
health insurance/payments space have with Amazon and Microsoft.

From the news article (I don't have time to review the source leak indepently)
there doesn't seem to be anything really concerning here. The closest to an
indication of anything wrong seems to be that someone raised an issue about
the risk of improper employee use of data and a need for training around that
in an internal meeting on the project and has not received a formal specific
response on that issue from corporate leadership. Having spent a long time in
HIPAA-related work, that neither that issue being raised in regard to a new
project or the fact that it was raised being merely one of many inputs into a
policy generating process that makes general adjustments considering a wide
range of concerns, legal parameters, and other issues but not receiving a
specific direct response seems...pretty typical. And HIPAA does not require
notification or opt-in (or even opt-out opportunity) for data sharing between
a covered entityand Business Associate, as BA’s are (while under HITECH
independently subject to HIPAA privacy and security rules) basically
considered institutional agents of the covered entity to which the covered
entity’s authority to have and use data is delegated under the Business
Associate agreement.

I don't know if there is really nothing of concern in the dump or the
journalists covering it don't have enough understanding of the domain to even
distinguish things that would indicate a problem, but what it looks like from
the news article is a “whistleblower” making accusations and dumping docs, but
nothing substantial and concrete in the docs supporting the thrust of the
“whistleblower’s” accusations of wrongdoing.

~~~
TaylorAlexander
Not defending the article (I’ve not read it), but I suppose I probably would
be horrified with the status quo. I really wish we had a more consent based
data culture. I suppose I don’t know how that would be designed. But lots of
real things are horrifying and it’s not necessarily fine just that something
is normal.

~~~
dredmorbius
My view is that consent is oversold. If I "consent" to a boilerplate agreement
handed me moments before an action is taken, have I really?

Boundaries and distributions should be clearly, specifically specified, with
any non-essential distributions requiring specific assent, defaulting to none.
If there are consequences to sharing, those can be made known. We've been
drawn into a circumstance which has long been untenable.

~~~
dragonwriter
> If I "consent" to a boilerplate agreement handed me moments before an action
> is taken, have I really?

A not uncommon practice with HIPAA “disclosures” is to sign an electronic
device that records the signature (and provides no evidence that the document
your signature is associated with is anything like the one you were given)
_prior_ to being provided with documents. So, yeah, the practices around
consent with PHI suck pretty hard.

~~~
dredmorbius
I would flat out refuse.

------
altgoogler
Googler here, my opinions are my own, standard disclaimer.

I'm not going to comment on this specific case but I do have almost a decade
of previous non-Google experience working in clinical documentation
technology.

As others have said, entering into a BAA with a covered entity, as HIPAA
defines it, shouldn't be seen as a controversial action.

There are numerous problems in healthcare that are too complex for individual
health systems to tackle. For example:

* Population Health: are there emergent changes in the regional population? What do you do about it? * Continuity of Care: The number of individual providers involved in a particular person's care continues to grow. How can you effectively inform the entire team--across health systems--what's most important for an individual now? How do you make sure nobody drops the ball?

To give you an idea of the scale, I have two examples. The first is MD
Anderson Cancer Center in Houston. They used to have 200+ engineers working on
their sophisticated home-grown EMR. It was a huge undertaking. But even with
MDACC revenue, that development was unsustainable, and they moved to a 3rd
party EMR vendor.

Second is the Mayo Health System. Another huge provider with facilities not
just in flagship Rochester MN, but in several other sites. Again, there were
realities that even at this scale internal development isn't sustainable
across the board and they wound up with a $100M+ adoption of a 3rd party
vendor.

And this is mostly straight-forward CRUD-level workflows. The technology is
straightforward but the workflow expertise is not.

Now, try and solve some bigger problems. You're going to need help to do this
at scale, and trying to solve it necessarily means giving access--not control
of!--to medical records to drive R&D. It's happening right now, and Google is
not the only player doing this at scale. They're not even the largest one.

Lastly HIPAA controls have real teeth, in comparison to the general consumer
space (at least in the US).

~~~
JohnFen
> As others have said, entering into a BAA with a covered entity, as HIPAA
> defines it, shouldn't be seen as a controversial action.

You place more faith in HIPAA than I do. HIPAA does not protect privacy to the
degree that most people assume.

> There are numerous problems in healthcare that are too complex for
> individual health systems to tackle.

True, but that doesn't mean that Google is the right entity to do this. In my
opinion, they're the wrong entity, because Google is not exactly trustworthy.

> Google is not the only player doing this at scale. They're not even the
> largest one.

But they're Google. What this sort of thing means for me is that I need to
start asking medical providers if they're participating in this sort of thing
with Google (or other companies that I consider bad actors), so I know which
ones to avoid using.

~~~
altgoogler
> You place more faith in HIPAA than I do. HIPAA does not protect privacy to
> the degree that most people assume.

That's correct. People would be surprised at the number of HIPAA violations
that happen everyday. It is, however, among the strongest and most well-
enforced data privacy laws (in the US).

> True, but that doesn't mean that Google is the right entity to do this. In
> my opinion, they're the wrong entity, because Google is not exactly
> trustworthy.

You're certainly right to be concerned. I don't share your opinion about
Google per se, but this is important data for our society. I'd argue that
OpSec at a large provider--let's say Microsoft--is more sophisticated than a
start-up. So how does an organization decide who is the "right" entity to deal
with?

> But they're Google. What this sort of thing means for me is that I need to
> start asking medical providers if they're participating in this sort of
> thing with Google (or other companies that I consider bad actors), so I know
> which ones to avoid using.

If this is important to you, I would strongly encourage it. Our health
industry is better when consumers are better informed, and can make informed
decisions. Personally, it's more important to me to be able to actually know
how much a procedure is going to cost rather than who owns the AI stack behind
their clinical decision support system.

~~~
JohnFen
> So how does an organization decide who is the "right" entity to deal with?

Practically speaking, that's up to the company -- but the company needs to
make sure that their clients are informed and are able to withdraw their data
if they're concerned.

The larger part of what's wrong with this particular deal is that it was done
in secret. Patients and doctors were not informed of this until after data has
begun to be transferred. They should have been, and patients should have been
given the option to remove their data from the dataset and find another health
care provider if they wish.

> Personally, it's more important to me to be able to actually know how much a
> procedure is going to cost rather than who owns the AI stack behind their
> clinical decision support system.

I agree that knowing costs is very important, but we're miles away from that
being a thing that is possible. In the meantime, I think it's important not to
backslide in other areas such as this one.

I'd also say that my concern isn't really about who owns the stack, or the
cloud. That sort of battle was lost years ago. My concern is the ability of
Google to access that information.

------
yRetsyM
What is actually happening here? A lot of rhetoric about the "Transfer of
data" etc, but other times this just reads like a Google Cloud Infrastructure
play, with some consulting on top.

Also - The deal was only just signed, e.g. the transfer hasn't happened yet?

There's a lot of hearsay in all of this reporting...

~~~
umeshunni
Seems like a lot of fake news over a cloud storage deal

[https://cloud.google.com/blog/topics/inside-google-
cloud/our...](https://cloud.google.com/blog/topics/inside-google-cloud/our-
partnership-with-ascension?mod=article_inline)

~~~
excalibur
This is not "fake news" at all. This is the same factual event covered with a
different spin. Use of the term "fake news" to describe reporting that is
merely slanted in a direction you don't like--rather than presenting
demonstrably false information as fact--is completely unwarranted, and is
doing terrible damage to our social institutions.

~~~
izacus
This is a TEXTBOOK case of fake news - a newspaper owned by Google competitor
spinning purchase of space on encrypted Cloud Storage and Google Apps
productivity suite as a big medical data mining attempt by Google to drive a
political agenda.

There are obvious concerns around data security here, but the article is very
heavily distorting facts to drive outrage.

~~~
mattkevan
Also the Guardian isn’t owned by a Google competitor - it’s owned by the Scott
Trust, an organisation set up specifically to maintain the paper’s editorial
independence.

They have viewpoints which include a distrust of very powerful global
corporations, and one you may or may not agree with - but it’s nowhere near
‘fake news’.

[https://en.m.wikipedia.org/wiki/Scott_Trust_Limited](https://en.m.wikipedia.org/wiki/Scott_Trust_Limited)

------
SEJeff
How is this not a criminal breach of HIPAA laws?

[https://www.hhs.gov/hipaa/for-individuals/guidance-
materials...](https://www.hhs.gov/hipaa/for-individuals/guidance-materials-
for-consumers/index.html)

~~~
izacus
Google's press release actually adresses HIPAA:
[https://cloud.google.com/blog/topics/inside-google-
cloud/our...](https://cloud.google.com/blog/topics/inside-google-cloud/our-
partnership-with-ascension?mod=article_inline)

~~~
bduerst
Important part:

>What about patient data? All of Google’s work with Ascension adheres to
industry-wide regulations (including HIPAA) regarding patient data, and come
with strict guidance on data privacy, security and usage. ... To be clear:
under this arrangement, Ascension’s data cannot be used for any other purpose
than for providing these services we’re offering under the agreement, and
patient data cannot and will not be combined with any Google consumer data.

~~~
OnlineGladiator
> and patient data cannot and will not be combined with any Google consumer
> data.

Does anybody enforce this or do we just take Google at their word?

~~~
papln
Does anyone enforce any law?

~~~
OnlineGladiator
When there's an obvious breach, hopefully. How would we even know if Google
were abusing this data though? Does anyone have access to it besides Google?
Are we literally asking Google to regulate itself with this data?

EDIT: I guess I don't understand. Once we give Google the sensitive
information, how do we have any way of knowing what they do with it? I'm
guessing an audit on all of Google's data is out of the question.

~~~
mattmanser
The point of this article is that a whistleblower is saying "they're not
controlling access properly".

While the Grauniad is trying to spin it to sound worse, the whole point is
Google are providing data processing services to a valid HIPAA processor via
Google Cloud, not that they nefariously bought the data to integrate it with
the search results.

Much like health data stored on AWS with a dedicated internal project team
could be accessed by "Amazon" staff. It's kinda the point, the google staff
have been brought in to help manage the data.

~~~
JohnFen
> not that they nefariously bought the data to integrate it with the search
> results.

I don't think that anyone is claiming they are intending to do this.

------
chooseaname
> Google could go on to use its AI analytics to predict outcomes for
> individual patients, they posited.

This is the most scary part[0]. I'm sure plenty here would disagree, but I
simply don't (yet) share your optimism for A.I.

[0] Not that the rest isn't scary.

~~~
throwaway35784
Ubers ai won't even slow down when it sees a person in the road. A computer
can prescribe a drug for me, but _I_ can't prescribe a drug for me?

Can I please have my life back please?

~~~
shadowgovt
Drug self-prescription is forbidden for several good reasons that have stood
the historical test of time, unfortunately.

It'd be convenient if we could assume perfect personal responsibility, but
human behavior doesn't align with that assumption.

~~~
throwaway35784
Prescriptions aren't required in many countries of the world. Protecting
people from themselves is not a good reason. If it were lots of dangerous
activities would be illegal.

You can risk your life to make it more fun, but not more healthy?

Prescriptions in the USA have only really been a thing for the century since
the Harrison act, which brought drug smuggling with it.

------
Aaronstotle
Any google employees/friends of google employees here with insight as how
staff is receiving this news? My guess is like all other egregious abuses of
power, the employees will stage a "protest" to feel good about themselves then
keep working there.

~~~
shadowgovt
I don't think they see this as an egregious abuse of power. Googlers trust
Google to do a pretty decent job of securing private information almost all of
the time; this isn't an area of moral concern for them.

(i.e. the question in their minds is "Is the data safer in the source
repositories?" And it's probably not).

~~~
JohnFen
The problem is that Googlers (like far too many tech companies) view data as
being secure if outsiders can't get access to it. They don't count access by
themselves as a security issue, even though it objectively is.

~~~
smueller1234
Googler here. I don't speak for Google and obviously shouldn't and won't
divulge internals, but this just makes me cringe so hard: unauthorized or
illegitimate access by staff is OBVIOUSLY treated as a security issue. I'm
kind of shocked that folks would think otherwise.

~~~
JohnFen
Just to clarify, I was not referring to unauthorized or illegitimate access. I
was referring to company-sanctioned access.

------
rayuela
So what do we do to stop this? What recourse do people directly affected by
this have?

~~~
twobat
GDPR should kick in long before medical data is on the table.

~~~
dragonwriter
GDPR will only occasionally and coincidentally (if at all) be relevant to
health data held by US health care providers and their business associates,
whereas HIPAA will always be relevant.

------
valiant55
>The disclosed documents include highly confidential outlines of Project
Nightingale, laying out the four stages or “pillars” of the _secret project_.

> Among the documents are the notes of a private meeting held by Ascension
> _operatives_ involved in Project Nightingale.

The whole article is written like they are trying to tell a spy story which
brings into question the credibility that there's any wrong doing.

------
Braggadocious
I fear all of this will be used as part of a prediction program to find the
best employees based on performance metrics. Imagine if before you even gave
an applicant a callback you could see if they've ever had a bout of
depression, insomnia, anything that may affect their job performance or the
performance of their team. That would be standard part of any background check
if that information was available.

~~~
perl4ever
The nice thing about the modern world is that nobody has to make the decision
to do that or be aware. That sort of discrimination can filter through ML-
derived correlations at two, three or more levels removed, and every human
being can be as innocent as can be.

------
vfclists
Where is the Guardian's report on this -
[https://www.dailymail.co.uk/health/article-7588337/Google-
ge...](https://www.dailymail.co.uk/health/article-7588337/Google-gets-green-
light-access-FIVE-YEARS-worth-sensitive-patient-data-NHS-trust.html)

As a UK based paper Guardian could at least focus on British issues

------
me_me_me
I wonder if this is not a coincidence given acquisition of fitbit.

~~~
ocdtrekkie
Google's been investing in medical data analysis long before buying Fitbit.
They got in trouble for DeepMind's involvement with NHS data over in the UK,
which started years ago. And then Google absorbed that whole project from
DeepMind into Google Cloud proper, after assuring the British government
Google would never have access to the data from the project.

tl;dr: Unrelated avenue in a field they've been interested in for a long time.

------
1_over_n
Personally i think the frustrating thing here is that it sours the pool for
others who are interested in medical innovation that requires data.

------
drcode
I know I'm very much in the minority here, but just like we should have more
open borders and more open software, we should encourage more openness around
medical data.

Google and other large companies have made some significant AI advances in the
last decade & I think it's in all of our interests to see if these advances
can lead to improvements in health care.

Yes, it's scary how much data these companies have collected about us, but
there are other things in the world which are even more scary, like heart
attacks and cancer. I think we need to stop having an automatic knee-jerk
reaction every time a company gets access to our data, especially if proper
legal protocols with privacy protections are being followed, as it appears to
be in this case.

Of course, I would love to live in a world with 100% perfect personal privacy
AND perfect treatments for all diseases, but we don't live in that world: In
our world, as we move forward, there are going to be difficult tradeoffs
between health innovation and patient data access: We should try to navigate
these tradeoffs in a level-headed way, without just insisting on greater walls
around all data in every instance.

~~~
legulere
I know how hard it is to get enough medical data to do research. But why do
you need names? Correlate diseases with first names?

~~~
bilbo0s
Totally agree.

Last thing we should do is have radically open medical data. Some busybody
parent could go out and search all the kids in in her kids' school who might
have HIV or something. Or imagine all the crazies out there searching for a
list of women in their town who have had abortions.

The only thing you do with open medical data is ratchet up the "crazy" in
society. In an ideal world where everyone is rational, it's fine. But that
world doesn't exist.

------
JohnFen
Every time that I think that Google couldn't be any worse, they prove me
wrong.

------
Lagogarda
Stopped reading after 2 popups and one add blocked the article.

------
kyrra
dupe.
[https://news.ycombinator.com/item?id=21507370](https://news.ycombinator.com/item?id=21507370)

~~~
kyrra
Instead of down voting me, you could reply saying that this article has new
details (like the leaked presentation). I just assumed it was a repost of
yesterday's discussion.

~~~
dredmorbius
My practice is to usually limit "dupe" to the identical link or story
submitted multiple times. Major mainstream breaking news possibly excepted.

For different takes on the same story, "Previously" with a link to earlier
discussion, may be better.

For evergreen topics (e.g., Bertrand Russell's "In Defence of Idleness",
submitted many times through the years, and again a day or so back), "earlier
submissions" noting the years, of 2-3 top instances, can point to earlier
interesting discussion.

------
swedtrue
Time to use private cloud

