Lawsuit Filed Against the University of Chicago Medical Center and Google over Data Sharing

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

A potential class action lawsuit has been filed against the University of Chicago Medical Center (UChicago Medicine) by a former patient, claiming his and thousands of other patients’ medical records were shared with Google without authorization and without removing identifying information.

The suit was filed in the United States District Court for the Northern District of Illinois.

Google and UChicago Medicine have been partnering since 2017 in an effort to improve predictive analysis through artificial intelligence. Machine learning is required for Google to make these technological advancements, meaning old health records are a necessary part of the analysis. The goal of this partnership and the predictive models being created is to reduce unplanned readmissions into the hospital, along with reducing patient complications that could arise.

The lawsuit alleges that date stamps and doctor’s notes were not removed from the records shared with Google. If the patient data was not properly de-identified, and its exposure was not authorized by the patient, this could allow for their identity to be determined, potentially violating the Health Insurance Portability and Accountability Act (HIPAA).

Additionally, the lawsuit argues that because of services Google offers, such as it’s “Timeline” service (in addition to Google Maps, Calendar, or Search), they could identify when patients had appointments, what building/department their appointment was in, etc., which could be used to identify the patient.

Both UChicago Medicine and Google are standing behind their partnership, stating that they were in compliance with regulations.

We believe our healthcare research could help save lives in the future, which is why we take privacy seriously and follow all relevant rules and regulations in our handling of health data. In particular, we take compliance with HIPAA seriously, including in the receipt and use of the limited data set provided by the University of Chicago.” – Google

That research partnership was appropriate and legal and the claims asserted in this case are baseless and a disservice to the Medical Center’s fundamental mission of improving the lives of its patients…” – UChicago Medicine Spokesperson

This potential lawsuit highlights the privacy concerns that are arising as more and more tech giants enter the healthcare sector.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.

HIPAA Secure Now! suite of subscriptions offers an extensive list of tools to provide ongoing training, assessment, moderation activities and more to support an organization’s privacy and security efforts. Subscriptions also support the process of conducting an annual Security Risk Assessment to meet MIPS and Promoting Interoperability requirements.

The subscriptions work for organizations of all sizes, both Covered Entities and Business Associates. All are priced at a flat annual fee, based on number of employees, for a full 12 months. All include a discount if purchased through us.


If your organization has more than 50 employees, or if you’d like to schedule a demo or you just want to get a couple questions answered, take a few seconds to complete this form and we will get back to you.