SAN FRANCISCO — When the University of Chicago Medical Center announced a partnership to share patient data with Google in 2017, the alliance was promoted as a way to unlock information trapped in electronic health records and improve predictive analysis in medicine.
On Wednesday, the University of Chicago, the medical center and Google were sued in a potential class-action lawsuit accusing the hospital of sharing hundreds of thousands of patients’ records with the technology giant without stripping identifiable date stamps or doctor’s notes.
The suit, filed in United States District Court for the Northern District of Illinois, demonstrates the difficulties technology companies face in handling health data as they forge ahead into one of the most promising — and potentially lucrative — areas of artificial intelligence: diagnosing medical problems.
Google is at the forefront of an effort to build technology that can read electronic health records and help physicians identify medical conditions. But the effort requires machines to learn this skill by analyzing a vast array of old health records collected by hospitals and other medical institutions.
That raises privacy concerns, especially when is used by a company like Google, which already knows what you search for, where you are and what interests you hold.
In 2016, DeepMind, a London-based A.I. lab owned by Google’s parent company, Alphabet, was accused of violating patient privacy after it struck a deal with Britain’s National Health Service to process medical data for research.
The group inside DeepMind that acquired the data from National Health Service has since been transferred to Google, which has raised additional complaints from privacy advocates in Britain. DeepMind had previously said data would never be shared with Google. In absorbing DeepMind’s health unit, Google said it was building “an A.I.-powered assistant for nurses and doctors.”
A Google spokesman said in a statement that it followed guidelines under the Health Insurance Portability and Accountability Act, or Hipaa, that allow for disclosing personal health information without authorization in certain instances for research purposes.
“We believe our health care research could help save lives in the future, which is why we take privacy seriously and follow all relevant rules and regulations in our handling of health data,” said the spokesman, Jose Castaneda.
The University of Chicago did not immediately respond to a request for comment Wednesday evening.
Google’s alliance with the University of Chicago mirrored other partnerships that the company struck to obtain electronic health records from other hospitals, including Stanford University and the University of California, San Francisco.
But the deal with the University of Chicago medical center violated patient privacy, the lawsuit claims, because those records also included date stamps of when patients checked in and checked out of the hospital.
In a research paper published by Google last year about “Scalable and Accurate Deep Learning for Electronic Health Records,” the company said it had used electronic health record data of patients at University of Chicago Medicine from 2009 to 2016.
The records included patient demographics, diagnoses, procedures, medication and other data. The paper states that the records were “de-identified,” except that “dates of service were maintained.” The paper also noted that the University of Chicago had provided “free-text medical notes” that were de-identified.
Hipaa, the federal regulation that protects patients’ confidential health data, allows medical providers are permitted to share medical records as long as the data is “de-identified.”
To meet the Hipaa standard, hospitals must strip out individually identifiable information like the patients’ name and Social Security number as well as dates directly related to the individual, including admission and discharge dates.
The lawsuit said the inclusion of dates was a violation of Hipaa rules in part because Google could combine them with other information it already knew, like location data from smartphones running its Android software or Google Maps and Waze, to establish the identity of the patients in the medical records.
“We believe that not only is this the most significant health care data breach case in our nation’s history, but it is the most egregious given our allegations that the data was voluntarily handed over,” said Jay Edelson, founder of Edelson PC, a law firm that specializes in class actions against technology companies for privacy violations.
The lawsuit, filed on behalf of Matt Dinerstein, who stayed at the University of Chicago Medical Center on two occasions in June 2015, did not offer evidence that Google misused the information provided from the medical center or made attempts to identify the patients.
The complaint accuses the university of consumer fraud and fraudulent business practices because it never received express consent from patients to transfer disclose medical records to Google. In a privacy agreement, the university said it would keep medical information confidential and comply with Hipaa regulations. The lawsuit also accuses Google of unjust enrichment.
Stacey A. Tovino, a health law professor at the University of Nevada, Las Vegas, said Hipaa was enacted in 1996 before the technology industry started collecting vast amounts of personal information.
That has made the regulations outdated because the idea of what information is considered individually identifiable has changed with advances in technology.