Douglas MacMillan & Greg Bensinger | The Washington Post | Source URL
Two days before Google was set to publicly post more than 100,000 images of human chest X-rays, the tech giant got a call from the National Institutes of Health, which had provided the images: Some of them still contained details that could be used to identify the patients, a potential privacy and legal violation.
Google abruptly canceled its project with NIH, according to emails reviewed by The Washington Post and an interview with a person familiar with the matter who spoke on the condition of anonymity. But the 2017 incident, which has never been reported, highlights the potential pitfalls of the tech giant’s incursions into the world of sensitive health data.
Over the course of planning the X-ray project, Google’s researchers didn’t obtain any legal agreements covering the privacy of patient information, the person said, adding that the company rushed toward publicly announcing the project without properly vetting the data for privacy concerns. The emails about Google’s NIH project were part of records obtained from a Freedom of Information Act request.
Google’s ability to uphold data privacy is under scrutiny as it increasingly inserts itself into people’s medical lives. The Internet giant this week said it has partnered with health-care provider Ascension to collect and store personal data for millions of patients, including full names, dates of birth and clinical histories, in order to make smarter recommendations to physicians. But the project raised privacy concerns in part because it wasn’t immediately clear whether patients had consented to have their files transferred from Ascension servers or what Google’s intentions were.
Both the NIH partnership and the Ascension pact were meant in part to showcase Google’s cloud storage capabilities. Google has said that both projects are compliant with federal privacy laws and that no rules were broken.
“We take great care to protect patient data and ensure that personal information remains private and secure,” said Google spokesman Michael Moeschler in regard to the NIH project. “Out of an abundance of caution, and in the interest of protecting personal privacy, we elected to not host the NIH dataset. We deleted all images from our internal systems and did not pursue further work with NIH.”
In a statement, NIH spokesman Justin Cohen said Google was one of several cloud providers the federal hospital considered for hosting the X-ray scans. All images were screened by NIH staff, who removed personal data before posting them publicly, he said.
Google declined to comment about Ascension. Ascension spokesman Nick Ragone declined to comment. Details of the Ascension partnership were reported earlier this week by the Wall Street Journal.
The Department of Health and Human Services said this week that it was looking into whether Google’s “mass collection of individuals’ health records,” through its Ascension partnership, may violate the Health Insurance Portability and Accountability Act, or HIPAA, the federal law that protects the privacy of some types of medical records.
Google’s missteps in health care loom over its sprawling ambitions in the field. It and other units of parent company Alphabet have launched a research lab devoted to expanding human longevity and attempted to develop glucose-level-sensing contact lenses. The company last year hired David Feinberg, a veteran of the Geisinger chain of hospitals, and earlier this month announced a deal to acquire personal fitness tracker Fitbit. Google said the deal is meant to feed its hardware ambitions and is not a play for more data.
The $2.1 billion deal for Fitbit is stoking antitrust and privacy concerns while it awaits regulatory approval. “Why should Google be permitted to acquire even more companies while they’re under DOJ antitrust investigation?” tweeted Republican Sen. Josh Hawley (Mo.) soon after the deal was announced. Rep. David N. Cicilline (D-R.I.), the chairman of a House committee on antitrust issues, called for “an immediate and thorough investigation” of the acquisition.
Tech giants, facing growing scrutiny of privacy policies by regulators and consumer advocates, face higher stakes when it comes to protecting health data, an area where exposing someone’s private information can result in their losing insurance or being stigmatized for having a disease.
Two years ago, Fei-Fei Li, then the chief scientist of Google’s cloud-computing division, helped to oversee the chest X-ray project in partnership with the NIH Clinical Center. The government-funded research hospital, based in Bethesda, runs clinical research studies in which patients participate. The NIH Clinical Center had 112,000 chest X-ray images, taken from more than 30,000 patients, many of whom had lung disease, according to the emails that were part of the records request.
Google planned to use its cloud service to publicly host the images, according to the person and the records. Li wanted to showcase how Google’s tool for teaching machines to learn, called TensorFlow, could be used to solve some of the most complex problems in medicine, the person said. TensorFlow could train computers to understand which images contained the markings of different diseases. Google would also make the raw X-ray data available to outside AI researchers via its cloud.In the summer of 2017, NIH shared the images with Google’s employees. The emails show they worked together to scrub the records of personal patient data. Google was working toward a deadline of July 21, when the company hoped to announce the project and release the data set to the public at an artificial-intelligence conference in Honolulu, the emails show. Google’s communications team drafted a blog post explaining the effort and scheduled an interview with a CNBC reporter.
Li, who left her role at Google in 2018 and became co-director of Stanford’s new Human-Centered Artificial Intelligence Institute earlier this year, declined to comment.
On July 19, NIH contacted Google to alert the company that its researchers had found dozens of images still included personally identifying information, including the dates the X-rays were taken and distinctive jewelry that patients were wearing when the X-rays were taken, the emails show.
Google’s lawyers began raising concerns that possessing and reviewing sensitive health data could create liabilities for the company, said the person familiar with the effort. Those lawyers shared their concerns with a Google engineer, who sent an email to NIH staff members asking whether the data was protected under HIPAA, the federal law governing such information.
Google deleted all of the X-ray images from its servers over the privacy concerns and told NIH it would no longer move forward with the project, according to the emails.
NIH has broad authority to share medical data with outside “consultants” for the purpose of research, as specified in the waivers the hospital collects from patients. But whether Google would be considered a consultant under the policy is unclear.
Google is not alone in pursuing health-care data and profits. Apple collects sleep and heart rate data from its smartwatches and is part of a gynecological study with NIH with an eye toward improving fertility and disease screening. Amazon last year bought prescription drug delivery service PillPack for nearly $1 billion. (Amazon chief executive Jeff Bezos owns The Washington Post.)
Google has stumbled in its handling of other sensitive health data in recent years. This spring, Google and the University of Chicago’s medical school were sued for allegedly improperly sharing patient records because they contained personal information, such as doctor’s notes. Google “followed all relevant rules and regulations in our handling of health data,” Google Cloud spokesman Ted Ladd said.
British regulators in 2017 said that a data-sharing agreement between Google’s DeepMind division and the Royal Free National Health Service Foundation Trust violated local laws when it failed to inform patients how their data would be used in an artificial-intelligence program. A representative for Google’s DeepMind couldn’t immediately be reached for comment.
An internal “post-mortem” review of the NIH incident conducted by Google managers found that, in the rush toward the planned public announcement, its researchers had failed to sufficiently vet the data or secure any legal agreements covering the privacy of patient information, the person said. Only in the final days before the public launch did the team leading the X-ray project consult with a privacy expert, the person said.
NIH finished scrubbing the data and released all of the X-ray images in September 2018, using cloud-storage provider Box. NIH spokesman said no outside company was involved in reviewing the images it made available to researchers.
Box spokesman Denis Roy said NIH is one of many health-care organizations that uses its service to manage sensitive medical data.
Google was not mentioned in the announcement and never publicly disclosed its involvement in the project.