Dinerstein vs Google: A case study for the WHO
Research output: Chapter in Book/Report/Conference proceeding › Article in proceedings › Research › peer-review
Google announced a strategic partnership with the University of Chicago and the University of Chicago Medicine in the USA in May 2017. The aim of the partnership was to develop novel machine-learning tools to predict medical events such as unexpected hospital admissions. To realize this goal, the University shared hundreds of thousands of “de-identified” patients’ records with Google. One of the University’s patients, Matt Dinerstein, filed a class action complaint against the University and Google in June 2019 on behalf of all patients whose records were disclosed.
Dinerstein brought several claims, including breach of contract, against the University and Google, alleging prima facie violation of the US Health Insurance Portability and Accountability Act. According to an article published in 2018 by the defendants, the patients’ medical records shared with Google “were de-identified, except that dates of service were maintained in the (...) dataset”. The dataset also included “free-text medical notes”. Dinerstein accused the defendants of insufficient anonymization of the records, putting the patients’ privacy at risk. He alleged that the patients could easily be re-identified by Google by combining the records with other available data sets, such as geolocation data from Google Maps (by so-called “data triangulation”). Moreover, Dinerstein asserted that the University had not obtained express consent from each patient to share their medical records with Google, despite the technology giant’s commercial interest in the data.
The issue of re-identification was largely avoided by the district judge, who dismissed Dinerstein’s lawsuit in September 2020. The reasons given for dismissal included Dinerstein’s failure to demonstrate damages that had occurred because of the partnership. This case illustrates the challenges of lawsuits related to data-sharing and highlights the lack of adequate protection of the privacy of health data. In the absence of ethical guidelines and adequate legislation, patients may have difficulty in maintaining control of their personal medical information, particularly
in circumstances in which the data can be shared with third parties and in the absence of safeguards against re-identification.
Dinerstein brought several claims, including breach of contract, against the University and Google, alleging prima facie violation of the US Health Insurance Portability and Accountability Act. According to an article published in 2018 by the defendants, the patients’ medical records shared with Google “were de-identified, except that dates of service were maintained in the (...) dataset”. The dataset also included “free-text medical notes”. Dinerstein accused the defendants of insufficient anonymization of the records, putting the patients’ privacy at risk. He alleged that the patients could easily be re-identified by Google by combining the records with other available data sets, such as geolocation data from Google Maps (by so-called “data triangulation”). Moreover, Dinerstein asserted that the University had not obtained express consent from each patient to share their medical records with Google, despite the technology giant’s commercial interest in the data.
The issue of re-identification was largely avoided by the district judge, who dismissed Dinerstein’s lawsuit in September 2020. The reasons given for dismissal included Dinerstein’s failure to demonstrate damages that had occurred because of the partnership. This case illustrates the challenges of lawsuits related to data-sharing and highlights the lack of adequate protection of the privacy of health data. In the absence of ethical guidelines and adequate legislation, patients may have difficulty in maintaining control of their personal medical information, particularly
in circumstances in which the data can be shared with third parties and in the absence of safeguards against re-identification.
| Original language | English |
|---|---|
| Title of host publication | Ethics and Governance of Artificial Intelligence for Health : WHO Guidance |
| Number of pages | 1 |
| Place of Publication | Geneva |
| Publisher | World Health Organization |
| Publication date | 2021 |
| Pages | 38 |
| ISBN (Print) | 978-92-4-002921-7 |
| ISBN (Electronic) | 978-92-4-002920-0 |
| Publication status | Published - 2021 |
Links
- https://www.who.int/publications/i/item/9789240029200
Final published version
ID: 273287554