A district court judge recently dismissed a class-action lawsuit filed against the University of Chicago Medical Center (UCMC) and tech giant Google, said Healthcare IT News. The suit alleged that the two organizations failed to secure patients’ data.
Judge Rebecca R. Palmeyer of the United States District Court for the Northern District of Illinois ruled that the claims detailed in the suit regarding the insufficient de-identification of info performed by the two respondents were “misleading.” The decision was made on September 4.
Pallmeyer’s decision stated, “Plaintiff suggests that the risk of re-identification was in fact substantial because of the information Google already possesses about individuals through the other services it provides.”
The judge pointed out that Google’s location tracker has the ability to record the buildings the plaintiff, who was a Google user, visited. This means that even without UCMC providing de-identified info, the company already has a record that Dinerstein visited the hospital.
The class-action lawsuit
The suit filed by plaintiff Daniel Dinerstein, a patient at UCMC back in 2015, claimed that the tech giant and UCMC’s de-identification procedures were not enough to protect clients. Thus, the process reportedly compromised their info as it can be easily re-identified.
Data de-identification is the practice of separating Personally Identifiable Information (PII) from Protected Health Information (PHI) from databases. The suit posited that the UCMC’s de-identified data submitted to Google contained specific info that could lead to re-identification.
According to the suit, the data “included detailed datestamps and copious free-text notes.” With Google’s technology in data mining and artificial intelligence, the company is alleged “uniquely able to determine the identity of almost every medical record” released.
Dinerstein claimed that the combination of Google’s geolocation data and UCMC’s de-identified info allows for re-identification.
As Pallmeyer explained, the claim is “misleading,” especially as the amended complaint did not allege “that Google has in fact used its extensive data to re-identify electronic health records (EHRs).”
The case is similar to another issue involving Google and Ascension with Project Nightingale. This gained mainstream media traction as people alleged that Google has been using patient info in developing an AI and machine learning software for Ascension.
On the issue of re-identification, the Office of the National Coordinator for Health IT has been investigating ways of managing privacy risks since 2010. This initiative especially focuses on the issue of de-identification and re-identification.
