Update from LitLand: Illinois Lawsuit Highlights Difficulty of True De-Identification

LitLand is a monthly feature that reviews developments in litigation as they relate to privacy matters and highlight any past, current, and future cases about which you should know.

Google, the University of Chicago Medical Center, and the University of Chicago have been accused of violating the privacy of thousands of patients seen by the medical center between 2009 and 2016. The case, if it survives an inevitable standing challenge, may lead to copycat lawsuits against other medical facilities that had similar arrangements with Google and may stifle innovation in medical technology that is reliant on artificial intelligence and, therefore, access to health data.

The Allegations

Filed in late June in the Northern District of Illinois, the class action complaint alleges that the University of Chicago and University of Chicago Medical Center (collectively, “UoC”) shared electronic health records (EHRs) with Google that, despite UoC’s claims, were not actually de-identified because they contained “detailed datestamps and copious free-text notes.”

Sharing de-identified electronic protected health information (ePHI) is permitted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) only for appropriate purposes, i.e., from one covered entity to another covered entity with a relationship to the patient, where there is a business associate agreement in place, or with express consent from the patient. HIPAA does not restrict the use and sharing of data that is de-identified (data that has had all identifiers removed and does not have a reasonable chance of being relinked to an individual). The data in this case was shared with Google because the company is developing technology that will be able to read EHRs and help physicians identify, treat, and potentially prevent the onset of medical conditions.

The suit alleges that because Google is “one of the most prolific data mining companies,” it was “uniquely able to determine the identity of almost every medical record the University released.” Google’s ability was magnified, shortly after it received the records from UoC, by its absorption of “DeepMind Health”—a healthcare technology company—for the very specific purpose of analyzing medical records and creating commercial products. Google’s access to DeepMind’s technology allowed the company to make “connections between various data points (i.e., from EHRs and Google users’ data).”

Finally, the suit claims various “hospitals, researchers, and healthcare providers” all turned down Google’s attempts to obtain the medical data before the company found success with UoC.

The Plaintiffs

The named plaintiff in the suit is Matt Dinerstein, who was a patient at the University of Chicago Medical Center from June 4 to June 7, 2015, and again from June 25 to June 27, 2015. During those stays, the UoC allegedly “generated numerous pages of health records that included sensitive information such as Dinerstein’s demographic information, his vitals, diagnoses, procedures, and prescriptions.” In fact, the suit alleges that the data shared with Google included: patient demographics; provider orders; diagnoses; procedures; medications; laboratory values; vital signs; and flowsheet data. This was published in a joint report between Google and UoC, but allegedly neither entity disclosed that datestamps and free-text notes were also shared.

During his stay, Dinerstein, who has a Google account, “used a smartphone with Google applications installed that . . . collected his geolocation information and transmitted it back to” Google. Per the complaint, the data was added to the already copious cache of information that Google collects from its customers. The “geolocation information, when combined with the exact datestamps for admission and discharge (along with other health events at the hospital) included in the University’s medical records, and cross referencing the age, gender, and demographic information with [Google’s] own data, creates a perfect formulation of data points for Google to identify who the patients in those records really are.”

Dinerstein maintains that he never consented to the UoC’s disclosing his “confidential medical information to Google,” nor did he give “Google permission to use his medical records for any purpose, let alone for a commercial purpose.” The suit alleges the class of plaintiffs “likely consists of hundreds of thousands of individuals” and seeks certification for “[a]ll individuals in the United States whose Electronic Health Records were transferred to Google (or any of its related entities) by The University of Chicago (or any of its related entities).”

Causes of Action

The complaint asserts seven causes of action, including: a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act (based on alleged misrepresentations in the UoC’s Notice of Privacy Practices and Admission and Outpatient Agreement and Authorization); breach of both implied and express contract; tortious interference with contract (against Google for allegedly interfering with the contract for confidentiality between UoC and patients); intrusion upon seclusion; and unjust enrichment. While the plaintiff does not state the amount in damages, the choice of venue is based, in part, on an “amount in controversy [that] exceeds $5,000,000.”

Takeaways

The lawsuit is definitely one to keep watching for a number of reasons.

First, as we have discussed, privacy lawsuits generally face a standing obstacle. However, the 7th Circuit has previously shown a willingness to permit breach lawsuits to proceed based on the theory that exposed data may pose a future risk of substantial harm to the consumer. Further, HIPAA does not have a private right of action, meaning private litigants must rely on state law claims such as negligence and breach of contract.

Second, despite the plaintiff’s contentions in this suit, there are other medical facilities with similar arrangements with Google. While those facilities are presumably not named defendants because the plaintiff was not treated at those facilities, others who did receive medical services at those facilities could bring copycat lawsuits. Depending on how the Illinois court handles the inevitable standing challenge, those future plaintiffs may be presented with a roadmap for their own privacy violation challenges.

Finally, irrespective of the outcome of this case, the mere fact the lawsuit was brought may make entities covered under HIPAA more hesitant to partner with technology companies. This is significant because artificial intelligence technology that is being developed in this space requires actual patient data in order to train its algorithms. If no low-risk method to exchange de-identified data exists, development of diagnostic tools could face setbacks.