
Google whistleblower: the medical data of millions of Americans is at risk - dotism
https://www.theguardian.com/commentisfree/2019/nov/14/im-the-google-whistleblower-the-medical-data-of-millions-of-americans-is-at-risk
======
sys_64738
Why does an ad company need my medical data?

------
vkaku
I salute you, O Whistleblower!

------
marmot777
The are HIPAA regulations supposed to protect the data but I take it people
don’t trust that there’s sufficient oversight.

------
atonse
We can only rely on whistleblowers to tell us truly what's going on behind the
scenes with these kinds of things.

Kudos to the whistleblower for coming out.

Look at how this is done vs. how Apple is doing their health program. There's
tons of transparency, they're openly talking about doing studies with Medical
Schools, and the medical parties are publishing results.

------
tmaly
A single HIPPA violation for a single record alone is costly. There was a Ask
HN post a few weeks back where someone posted a medical record horror story.
They later deleted the post after pointing out that even programmers are
criminally liable.

------
tylerl
This strikes me as a whistleblower fail.

The story isn't, "I know that something bad happened", as whistleblowing is
supposed to mean. Instead they complain that essentially, "I am not personally
privy to the consent requirements and privacy protections required, nor do I
know what has been implemented." Which... congratulations on not being
important, I guess?

But in particular, this person gives an emotional plea that people must be
given the explicit opportunity to "opt-out", not from the medical research in
general, but from any subset of research conducted in collaboration with
Google, specifically because it's Google, rather than another research
contractor.

I donno. Should Internet users be given the opportunity to opt-out from having
their IP packets transit fiber owned by AT&T? I mean, sure I agreed to a bunch
of stuff when I signed up with my ISP, but my provider is Comcast. They never
mentioned AT&T. And some of those packets might not me encrypted....

------
dang
The recent thread on this:
[https://news.ycombinator.com/item?id=21514952](https://news.ycombinator.com/item?id=21514952)

------
altgoogler
Disclaimer: Googler here, my opinions are my own.

I have no non-public knowledge of this topic besides these two Guardian
reports, and the Google public blog post on the same subject[1].

I do, however, have nearly a decade in non-Google work experience working in
clinical documentation technologies for a company who had BAAs with literally
dozens of health companies.

I simply do not understand the objection this whistle-blower is raising. As
far as I understand it, the controversy is simply because Google is involved.

> Above all: why was the information being handed over in a form that had not
> been “de-identified"

DeID is typically used at the edges of an IT system, and is tailored to the
rights of certain users accessing the system. If you have a system that says,
"A ha! There's a patient with a 5mm AAA with no evidence of follow-up! They
need a procedure STAT!", you obviously need to have the original documentation
to know who to contact.

There are ways to keep PHI (identifying info) separated from documentation,
but if Google is both the cloud storage provider _and_ doing R&D, both sides
of that system would fall on the Google side of the fence.

The bulk transfer of documents was almost certainly done via HL7v2 messages
which, IIRC, don't have any built-in mechanism for redacting PHI, and if it
did usually health systems lack the expertise do this consistently between all
BAAs they contract with.

> I was worried too about the security aspect of placing vast amounts of
> medical data in the digital cloud.

I mean, yeah, this is an important set of data. In previous years the issues
were people walking out of the health system with their laptop and it getting
stolen with 1ks of records on it. Cloudification has certainly reduced the
vectors to steal large quantities of data.

> data potentially being handed on to third parties;

Their BAA specifically prevents this.

> adverts one day being targeted at patients according to their medical
> histories.

 _Again_ , the law specifically prevents this use. These are all hypothetical
scenarios.

> Full HIPAA compliance must be enforced, and boundaries must be put in place
> to prevent third parties gaining access to the data without public consent.

There simply is no evidence that full HIPAA compliance isn't being followed.

> Employees at big tech companies having access to personal information

 _Thousands_ of employees at Ascension have this level of access. I personally
had access to millions of health care records. BUT! There were auditing
systems in place. If you attempted to use that access outside of the scope of
your job, you're fired, no second chance.

> To quote one of my role models, Luke Skywalker: “May the force be with you”.

Are you kidding me? Is this satire?

> In short, patients and the public have a right to know what’s happening to
> their personal health information at every step along the way.

In short, the concerns here are all hypothetical. There's no basis of any
wrong doing. There is no proposal to actually address these concerns in a
practical way.

[1] [https://cloud.google.com/blog/topics/inside-google-
cloud/our...](https://cloud.google.com/blog/topics/inside-google-cloud/our-
partnership-with-ascension)

------
janlin1999
The real story here might be about how many exceptions are allowed within
HIPAA, and how often health data gets transferred.

My understanding is that patient consent is not necessary for things like
research, which Google's AI efforts could be argued to fall under. This makes
sense in that requiring researchers to get consent for every piece of patient
data would quickly become cost-prohibitive for many types of studies or
introduce sampling issues (e.g. selection bias) or some combination of the
two. Patient health data is frequently handed over to researchers, but HIPAA
probably did not anticipate the case in which a powerful consumer-facing
entity that is notorious for using personal data also could do legitimate
research on health data.

Additionally, given that Google adheres to the HIPAA business associate
agreement, healthcare institutions are allowed to give non-anonymized patient
information without patient consent. A typical example might be a medical
group that outsources its billing procedures. My understanding is that the
medical group does not need to get patient consent in order to hand over
medical data to the medical billing coders.

Someone who is more knowledgeable about HIPAA might be able to add to the
discussion, but from the few details that have been publicized, it could be
that Google is following the law, but people are surprised by what is allowed
by the law.

~~~
marcinzm
>My understanding is that patient consent is not necessary for things like
research, which Google's AI efforts could be argued to fall under.

HIPAA allows for entities to share data with other entities which provide a
service to the original entity. For example, Hospitals may share data to a
billing provider or a claims analytics provider. It’s almost certain that
Google is following the letter of the law.

------
tokeepmyjob
I created this anon account because I don't want to lose my job.

I work at a major hospital/university as a research engineer and, 100%, the
whole system is completely broken. Using our hospital and the 10 or so other
major hospitals we work with as my source, I cannot come to any other
conclusion.

HIPAA is constantly touted as the reason to push more and more CYA hurdles on
to the staff's day to day interactions. One of the hospital I work with has an
email system where you receive a notification (via email) that you have a
message from xyz@majorhospital.com, in the body is a link you have to click
through to reach a "secure" portal, then you 2FA, just to read an email
someone sent _you_ (with no PII).

While the system that actually handle all the PII are basically rubber stamped
with no real security reviews. Prototypes I've built that should never pass a
security review, regularly do and get let out into the wild. I've been
screaming from the top of a mountain for years and all I ever hear back is
that it would cost too much, or prolong the dev cycle, or <enter reason here>.
If I counter with "I can't believe this will pass HIPAA muster," the answer is
always the same: "It passed the review and that is what matters."

When that something eventually happens, we can say we went through the proper
vetting with the review team and that's it, next to no liability for building
crap infrastructure. Of course the security review team will say, they used an
analysis software that cleared everything so it's not their fault. Finally the
company that made that software will say it's not perfect, but it got
certified by XYZ, and just like that the whole thing blows over.

The hospital itself is what facilitates this shifting of responsibility, they
pays millions upon millions of dollars for any software claiming to securely
retain and protect PII, when all to often that software isn't even in beta,
let all vetted and hardened. But hey, they got some certification that the
hospital can point to and say "It wasn't us." Every year there is some new
thing we are supposed to do that feign interest in security, but the weakest
links just keep getting weaker. No one cares about your personal information,
hospitals only care that they aren't liable when your personal information
getting leaked.

I literally lie to my doctor, not because I don't trust her, but because I
know that it's just a matter of time before my information is out there.

~~~
neoburkian
Stuff like this is everywhere. I used to work for a company that had millions
of credit profiles. We had the chief of IT spending enormous amounts of time
to make things "secure," but in the meantime junior PMs (and pretty much
everyone else too) had access to a web portal where they could decrypt and
inspect anyones credit information, address, name, etc. Inspecting the
personal financial details of people in our system was something employees
would do on a lark. We had a horrible password manager that nobody used, so
the passwords that were employed to validate logins to this portal were
literally the names of the employees with one or two extra characters. No 2FA,
no IP address restriction, nothing.

We would deploy enormous resources to protect something if IT believed that
had a legal requirement to do so (and make a lot of noise about how "secure"
we were), but we would leave treasure chests of information sitting around in
the open if there wasn't a box they needed to check saying "don't leave
unattended treasure chests of private data in the open."

If anything this convinced me that the regulations surrounding this sort of
thing are a joke. We don't need rules about security or how to build X - IT
will just see a list of boxes, check them, and then ignore everything not
specifically enumerated. We need a white hat law for certifying hacking teams
that can legally try to crack corporations with sensitive data. If they
succeed, the company has to pay enormous fines _to the team that hacked them_
and solve the problem or get their certifications/contracts revoked.

------
uoaei
My housemate is not careful with their digital privacy so their devices are
all unambiguously theirs and the profile assembled by advertisers is likely
cohesive across platforms.

Two days ago they said they've been getting a lot more ads about prescription
vaginal creams lately. This wasn't happening a week ago. There is reason to
expect that someone with access to their medical history would segment them as
a likely target for such ads. The topic hasn't come up in their life recently
so it would have had to have been from medical records.

To be perfectly clear: this probably wouldn't be happening if Google was
telling the truth about not using the data for ads.

It's time to stop believing ad networks when they say they're "not going to
use this data for ads" and "are doing everything they can to keep the data
safe".

Singular anecdatum, I know, but if we find enough examples of similar
occurrences we may be able to build a strong case that they're simply lying
about the security of our data in their hands.

~~~
markstos
As a man, I had ads about custom fit bras follow me around the internet for
awhile. This had nothing to do with my medical records. I read an article
about a related company.

Sorry, getting ads about medical products is not evidence that the advertising
platform has your medical records.

~~~
earthboundkid
Facebook has been giving me ads for a quit smoking drug for a month or two.
(Chantrix? Shows how well the ad worked. I remember there's a picture of a
cold turkey.) I don't smoke now, and I've never smoked regularly. Machine
learning!

------
peterwwillis
> Two simple questions kept hounding me: did patients know about the transfer
> of their data to the tech giant? Should they be informed and given a chance
> to opt in or out?

That's literally what HIPAA was created to address. The user doesn't have to
opt-in to every single solitary business that touches their data, because
there is a chain of business contracts that explicitly dictate what they can
do, that originates with the care provider.

This is like "blowing the whistle" because your dentist sent your dental
impression to a company to create a crown for you. You didn't "opt-in" to that
dental company getting your impressions, because your dentist had a contract
with them to cover what they would do with it in the first place.

Jesus christ.

~~~
JohnFen
> This is like "blowing the whistle" because your dentist sent your dental
> impression to a company to create a crown for you.

I see a huge difference here, though. the company making my crown doesn't get
my complete medical records. They get what is necessary to make the crown.

Google is getting everything, to use for purposes beyond the patient's
immediate medical needs.

> That's literally what HIPAA was created to address.

That HIPAA allows this sort of thing to happen is a great reason to pressure
lawmakers to improve HIPAA.

~~~
peterwwillis
> Google is getting everything, to use for purposes beyond the patient's
> immediate medical needs.

That claim was never made anywhere in this whistleblower account. Furthermore,
it's illegal, and anyone working with health care records knows that. You
can't use the records for anything other than what was covered by the business
associate contract.

It's clear from the letter that the whistleblower literally has no idea at all
what's going on, so they got frightened and yelled fire, in hopes that
somebody who knows more than them will come and look for a fire.

If they did about 30 minutes of research, they'd know that any person whose
records are covered by this agreement has the legal right to request from
Google all information about how their medical records are being used. All
they'd need to do is ask 8 random people to request records from Google, and
one of them might be covered. They could then find out the answer, or at least
have _some kind of evidence_ of a lack of process or oversight. They have
provided none.

Multiple times in the letter they mention that the public must consent to
this. There is no law requiring this, so really the whistleblower is trying to
assert their own opinions about public policy, and using the veiled threat of
malfeasance to get press time.

I'd expect this anonymous source to out themselves soon so they can lead some
kind of public demand for more visibility (hence more regulation). Which might
be good, except the HHS (which actually regulates HIPAA claims) already
doesn't enforce it much at all. So it's probably just going to be used as a
political tool to gain votes without actually improving people's lives.

~~~
JohnFen
> That claim was never made anywhere in this whistleblower account.

I may have misread the various reports and press releases, of course. If so,
please do correct me. But I believe that everyone, including Google and the
medical group, has mentioned this data is to be used to train a ML engine.

> You can't use the records for anything other than what was covered by the
> business associate contract.

My understanding is that the ML use is covered by the BAA. Of course, I
haven't read it, so I don't know, but it seems likely.

I seriously doubt that anyone is actually overtly and intentionally breaking
any laws here.

------
DIVx0
I work for a large US based corp that focuses on technology and data services
for the healthcare field. We have massive amounts of PHI for the majority of
people who have visited a provider within the country.

We apply all sorts of stuff to this data, ML, AI or whatever other buzzy tech
you can think of.

Most of this work happens within our own data centers but there is significant
work done within public clouds.

We have BAAs (business associate agreement) with every cloud vendor we work
with. We also have gone to extreme lengths to be confident that our cloud
deployments are as secure (or more) than our on premises stuff.

However, none of that is unique. We're no industry trail blazers with adopting
public clouds. Just about every other major player is doing this in a way
fairly similar to ours

So, what I _really_ don't understand with this story is, did Ascension just
simply give up their data to google without boundaries? Their BAA should be
very clear that Ascension intends to use google's cloud services but not
giving rights to their data to google.

It would not be unusual to engage a vendor or form some other partnership with
another firm to work on problems or generate new products. I assumed that this
is what Ascension and google were doing but this whistleblower and other
stories make it seem like google just has free and clear access to this data
outside of their relationship with Ascension.

Is that true? If so, that's crazy! Otherwise, business as usual?

~~~
CPLX
I've seen a ton of responses from people in the industry along the lines of
"this is normal" or similar. People who work on this stuff are incredulous
that there's even an issue, since everyone's health info is already being
uploaded to AWS or something. This is business as usual, they say.

The uproar is taken by people actually working in the business as a sign that
the public are ignorant and misinformed. Things are actually HIPPA compliant,
they say. This isn't a big deal, they say.

But perhaps the education should be going in the other direction, and the
people in the industry should realize they are the ignorant ones for realizing
that this is totally not OK for a huge number of people.

Realize that we are absolutely horrified that this data is being shared, that
a reasonable response is to say that if HIPPA is OK with this then we need
stronger laws, that we don't want faceless algorithms studying our most
intimate personal and medical issues at companies we never had a relationship
with.

And, especially, we are absolutely fucking certain that we want literally none
of it to be seen by employees of the sociopathic tech companies that are
surveilling every aspect of our life in order to better manipulate politics,
markets, and our society.

The thing to take away here is that people are shocked and horrified at what's
apparently business as usual.

~~~
trebligdivad
But if they're just using Google as cloud storage/compute it's not being
shared. Only very few Google employees would have access, they'd have very
careful limitations and access on who accessed what - that's not the same as
giving to google for some big AI experiment.

~~~
inetknght
> _Only very few Google employees would have access_

That's "very few" Google employees more than zero. I expect _zero_ Google
employees to have access to my medical data. Any number above zero is
absolutely not acceptable to me.

> _they 'd have very careful limitations and access on who accessed what_

Yeah, just like Equifax, right?

~~~
kazen44
> That's "very few" Google employees more than zero. I expect zero Google
> employees to have access to my medical data. Any number above zero is
> absolutely not acceptable to me.

Heck, people owning my medical data who are not my doctor/GP and related
medical professionals is a big no go in my opinion.

Medical data is rather private.

~~~
inetknght
> _Heck, people owning my medical data who are not my doctor /GP and related
> medical professionals is a big no go in my opinion._

Not even "owning", but having.

Having even "anonymized" data is not acceptable to me.

------
blissofbeing
What is the risk of exposing our health data? To me it is not so obvious,
other than maybe embarrassment? Is it like how in our culture we don't like to
talk about how much money we make? Why are all these things supposed to be
secret in the first place?

~~~
reaperducer
Because your medical information can be used against you.

Want a new job? Nope! We don't want someone with your condition on our team.

Want to buy a house? Nope! An AI bot says may not live long enough to pay the
loan.

Want to get some ice cream? Can't haz. When you swipe your electronic payment
method the database says you're at a risk for diabetes.

There are thousands of other scenarios.

~~~
blissofbeing
The can't get ice cream one is a bit far fetched eh? I'm sure that no matter
if they knew my health history they would still sell me some ice cream :)

~~~
reaperducer
Not if the Point of Sale system won't let them.

