How Google Is Stealing Your Personal Health Data

Dr. Mercola, Guest
Waking Times

Google, by far one of the greatest monopolies that ever existed, and poses a unique threat to anyone concerned about health, supplements, food and your ability to obtain truthful information about these and other issues.

This year, we’ve seen an unprecedented push to implement censorship across all online platforms, making obtaining and sharing crucial information about holistic health increasingly difficult.

As detailed in “Stark Evidence Showing How Google Censors Health News,” Google’s June 2019 update, which took effect June 3, effectively removed Mercola.com and hundreds of other natural health sites from Google search results. Google is also building a specific search tool for medical and health-related searches.¹

And, while not the sole threat to privacy, Google is definitely one of the greatest. Over time, Google has positioned itself in such a way that it’s become deeply embedded in your day-to-day life, including your health.

In recent years, the internet and medicine have become increasingly intertwined, giving rise to “virtual medicine” and self-diagnosing — a trend that largely favors drugs and costly, invasive treatments — and Google has its proverbial fingers in multiple slices of this pie.

Health Data Mining Poses Unique Privacy Risks

For example, in 2016, Google partnered with WebMD, launching an app allowing users to ask medical questions.² The following year, Google partnered with the National Alliance on Mental Illness, launching a depression self-assessment quiz which turned out to be little more than stealth marketing for antidepressants.^3,4

Google and various tech startups have also been investigating the possibility of assessing mental health problems using a combination of electronic medical records and tracking your internet and social media use.

In 2018, Google researchers announced they’d created an artificial intelligence-equipped retinal scanner that can appraise your risk for a heart attack.⁵

According to a recent Financial Times report,⁶ Google, Amazon and Microsoft collect data entered into health and diagnostic sites, which is then shared with hundreds of third parties — and this data is not anonymized, meaning it’s tied to specifically to you, without your knowledge or consent.

What this means is DoubleClick, Google’s ad service, will know which prescriptions you’ve searched for on Drugs.com, thus providing you with personalized drug ads. Meanwhile, Facebook receives information about what you’ve searched for in WebMD’s symptom checker.

“There is a whole system that will seek to take advantage of you because you’re in a compromised state,” Tim Lebert, a computer scientist at Carnegie Mellon University told Financial Times.⁷ “I find that morally repugnant.”

While some find these kinds of technological advancements enticing, others see a future lined with red warning flags. As noted by Wolfie Christl, a technologist and researcher interviewed by Financial Times:⁸

“These findings are quite remarkable, and very concerning. From my perspective, this kind of data are clearly sensitive, has special protections

The following graphic, created by Financial Times, illustrates the flow of data from BabyCenter.com, a site that focuses on pregnancy, children’s health and parenting, to third parties, and the types of advertising these third parties then generate.

Tech Companies Are Accessing Your Medical Records

As described in the featured Wall Street Journal video,⁹ a number of tech companies, including Amazon, Apple and the startup Xealth, are diving into people’s personal electronic medical records to expand their businesses.

Xealth has developed an application that is embedded in your electronic health records. Doctors who use the Xealth application — which aims to serve most health care sectors and is being rapidly adopted as a preferred “digital formulary”¹⁰ — give the company vast access to market products to their patients. The app includes lists of products and services a doctor believes might be beneficial for certain categories of patients.

When seeing a patient, the doctor will select the products and services he or she wants the patient to get, generating an electronic shopping list that is then sent to the patient. The shopping links direct the patient to purchase these items from Xealth’s third-party shopping sites, such as Amazon.

As noted in the video, “Some privacy experts worry that certain Xealth vendors can see when a patient purchased a product through Xealth, and therefore through their electronic health record.” In the video, Jennifer Miller, assistant professor at Yale School of Medicine says:

”In theory, it could boost adherence to physician recommendations, which is a huge challenge in the U.S. health care system. On the other side, there are real worries about what type of information Amazon in particular is getting access to.

So, from what I understand, when a patient clicks on that Xealth app and is taken to Amazon, the data are coded as Xealth data, which means Amazon likely knows that you purchased these products through your electronic health records.”

Amazon Is Mining Health Records

Amazon, in turn, has developed software, called Amazon Comprehend Medical, which uses artificial intelligence (AI) to mine people’s electronic health records. This software has been sold to hospitals, pharmacies, researchers and various other health care providers.

The software reveals medical and health trends that might otherwise go unnoticed. As one example, given in the video, a researcher can use this software to mine tens of thousands of health records to identify candidates for a specific research study.

While this can certainly be helpful, it can also be quite risky, due to potential inaccuracies. Doctors may enter inaccurate data for a patient, for example, data that, were it accurate, would render that patient a poor test subject.

Apple is also getting in on the action through its health app. It facilitates access to electronic medical records by importing all your records directly from your health care provider. The app is meant to be “helpful” by allowing you to pull up your medical records on your iPhone and present them to any doctor, anywhere in the world.

What Does This Mean for Your Privacy

While tech companies like Amazon and Apple claim your data are encrypted (to protect it from hacking) and that they cannot view your records directly, data breaches have become so common that such “guarantees” are next to worthless.

As noted in the video by Dudley Adams, a data use expert at the University of California, San Francisco, “No encryption is perfect. All it takes is time for that encryption to be broken.” One very real concern about having your medical records hacked into is that your information may be sold to insurance companies and your employer, which they can then use against you, either by raising your rates or denying employment.

After all, sick people cost insurance companies and employers more money, so both have a vested interest in avoiding chronically ill individuals. So, were your medical records to get out, you could potentially become uninsurable or unemployable.

Google Collects Health Data on Millions of Americans

Getting back to Google, a whistleblower recently revealed the company amassed health data from millions of Americans in 21 states through its Project Nightingale,^11,12 and patients have not been informed of this data mining. As reported by The Guardian:¹³

“A whistleblower who works in Project Nightingale … has expressed anger to the Guardian that patients are being kept in the dark about the massive deal.

The anonymous whistleblower has posted a video on the social media platform Daily Motion that contains a document dump of hundreds of images of confidential files relating to Project Nightingale.

The secret scheme … involves the transfer to Google of healthcare data held by Ascension, the second-largest healthcare provider in the U.S. The data is being transferred with full personal details including name and medical history and can be accessed by Google staff. Unlike other similar efforts it has not been made anonymous though a process of removing personal information known as de-identification …

Among the documents are the notes of a private meeting held by Ascension operatives involved in Project Nightingale. In it, they raise serious concerns about the way patients’ personal health information will be used by Google to build new artificial intelligence and other tools.”

The anonymous whistleblower told The Guardian:

“Most Americans would feel uncomfortable if they knew their data was being haphazardly transferred to Google without proper safeguards and security in place. This is a totally new way of doing things. Do you want your most personal information transferred to Google? I think a lot of people would say no.”

On a side note, the video the whistleblower uploaded to Daily Motion has since been taken down, with a note saying the “video has been removed due to a breach of the Terms of Use.”

According to Google and Ascension, the data being shared will be used to build a search tool with machine-learning algorithms that will spit out diagnostic recommendations and suggestions for medications that health professionals can then use to guide them in their treatment.

Google claims only a limited number of individuals will have access to the data, but just how trustworthy is Google these days? Something tells me that since the data includes full personal details, they’ll have no problem figuring out a way to eventually make full use of it.

Google Acquires Fitbit

In November 2019, the company also acquired Fitbit for $2.1 billion, giving Google access to the health data of Fitbit’s 25.4 million active users¹⁴ as well. While Google says it won’t sell or use Fitbit data for Google ads, some users have already ditched their devices for fear of privacy breaches.¹⁵ As reported by The Atlantic on November 14, 2019:¹⁶

“Immediately, users voiced concern about Google combining fitness data with the sizeable cache of information it keeps on its users. Google assured detractors that it would follow all relevant privacy laws, but the regulatory-compliance discussion only distracted from the strange future coming into view.

As Google pushes further into health care, it is amassing a trove of data about our shopping habits, the prescriptions we use, and where we live, and few regulations are governing how it uses these data.”

How HIPAA Laws Actually Allow This Data Mining

The HIPAA Security Rule is supposed to protect your medical records, preventing access by third parties — including spouses — unless you specifically give your permission for records to be shared. So, just how is it that Google and other tech companies can mine them at will?

As it turns out, the Google-Ascension partnership that gives Google access to medical data is covered by a “business associate agreement” or BAA. HIPAA allows hospitals and medical providers to share your information with third parties that support clinical activities, and according to Google’s interpretation of the privacy laws and HIPAA regulations, the company is not in breach of these laws because it’s a “business associate.”

The Department of Health and Human Services’ Office for Civil Rights has opened an investigation into the legality of this arrangement.¹⁷ As reported by The Atlantic:¹⁸

“If HHS determines that Google and its handling of private information make it something more akin to a health care provider itself (because of its access to sensitive information from multiple sources who aren’t prompted for consent), it may find Google and Ascension in violation of the law and refer the matter to the Department of Justice for potential criminal prosecution.

But whether or not the deal goes through, its very existence points to a larger limitation of health-privacy laws, which were drafted long before tech giants started pouring billions into revolutionizing health care.”

Patients Bear the Risk While Third Parties Benefit

BAA agreements only allow for the disclosure of protected health information to entities that help the medical institution to perform its health care functions. The third party is not permitted to use the data for its own purposes or in any independent way.

I personally find it hard to believe that Google would not find a way to profit from this personal health data, considering its web-like business structure that ties into countless other for-profit parties. Even if they don’t, there does not appear to be any distinct advantages to patients whose records are being shared. As reported by STAT News:¹⁹

“Jennifer Miller, a Yale medical school professor who studies patient privacy issues, said the way health information is being shared, whether legal or not, is far from ideal. Patients — whose data are shared without their knowledge or specific consent — end up with all the risks, she said, while the benefits, financial or otherwise, go to Google, Ascension, and potentially future patients.”

As reported by Health IT Security²⁰ in March 2019, Democratic senator of Nevada, Catherine Cortez Masto, has also introduced a data privacy bill “that would require companies not covered by HIPAA to obtain explicit consent from patients before sharing health and genetic data.”

“The bill covers the collecting and storing of sensitive data, such as biometrics, genetics, or location data,” Health IT Security writes.²¹ “The consent form must outline how that data will be used.

And the bill will also let consumers request, dispute the accuracy of their records, and transfer or delete their data “without retribution” around price or services offered.

Further, organizations would need to apply three standards to all data collection, processing, storage, and disclosure. First, collection must be for a legitimate business or operation purpose, without subjecting individuals to unreasonable risks to their privacy.

Further, the data may not be used to discriminate against individuals for protected characteristics, such as religious beliefs. Lastly, companies may not engage in deceptive data practices.”

Google Partnership Spurs Class-Action Lawsuit

The fact that patients don’t want Google to access their medical records is evidenced by a class-action lawsuit filed in the summer of 2019 against the University of Chicago Medical Center which, like Ascension, allowed Google access to identifiable patient data through a partnership with the University of Chicago. As reported by WTTW News June 28, 2019:²²

“All three institutions are named as defendants in the suit, which was filed … by Matt Dinerstein, who received treatment at the medical center during two hospital stays in 2015.

The collaboration between Google and the University of Chicago was launched in 2017 to study electronic health records and develop new machine-learning techniques to create predictive models that could prevent unplanned hospital readmissions, avoid costly complications and save lives …

The tech giant has similar partnerships with Stanford University and the University of California-San Francisco. But that partnership violated federal law protecting patient privacy, according to the lawsuit, by allowing Google to access electronic health records of ‘nearly every patient’ at the medical center from 2009 to 2016.

The suit also claims Google will use the patient data to develop commercial health care technologies … The lawsuit claims the university breached its contracts with patients by ‘failing to keep their medical information private and confidential.’ It also alleges UChicago violated an Illinois law that prohibits companies from engaging in deceptive practices with clients.”

Like Ascension, the University of Chicago claims no confidentiality breaches have been made, since Google is a business associate. However, the lawsuit claims HIPAA was still violated because medical records were shared that “included sufficient information for Google to re-identify patients.”

The lawsuit also points out that Google does indeed have a commercial interest in all of this information, and can use it by combining it with its AI and advanced machine learning.

According to the plaintiffs, Google’s acquisition of DeepMind “has allowed for Google to find connections between electronic health records and Google users’ data.” The news report also points out that:²³

“In 2015, Google and DeepMind obtained patient information from the Royal Free NHS Trust Foundation to conduct a study, which a data protection watchdog organization said ‘failed to comply with data protection law.’”

Health-Tracking Shoes and Other Privacy Abominations

Google is also investing in other wearable technologies aimed at tracking users’ health data, including:²⁴

• Shoes designed to monitor your weight, movement and falls
• “Smart” contact lenses for people with age-related farsightedness and those who have undergone cataract surgery²⁵ (a glucose-sensing contact lens for diabetics was canceled in 2018 after four years of development²⁶)
• A smartwatch to provide information for clinical research²⁷
• An all-in-one insulin patch pump for Type 2 diabetics that is prefilled and connected to the internet²⁸

Google also has big plans for expanding the use of AI in health care. According to CB Insights,²⁹ “The company is applying AI to disease detection, new data infrastructure, and potentially insurance.”

As mentioned earlier, insurance companies can jack up premiums based on your health. So, what could possibly go wrong by having Google’s AI wired into the insurance market?

Google has also partnered with drugmaker Sanofi, which “will leverage Google’s cloud and AI technologies and integrate them into its biological innovations and scientific data which in turn will accelerate the medicine discovery process,” according to a Yahoo! Finance report.³⁰

According to Yahoo! Finance, “the collaboration will aid in the identification of various type of treatments suitable for patients. Additionally, Google’s AI tools are likely to be utilized by Sanofi in improving marketing and supply efforts and in forecasting sales.”

In plain English, this partnership will help Sanofi sell more drugs, which can hardly be said to be for the patients’ best interest, but rather that of Sanofi and Google. As mentioned earlier, Verily, Google’s health care division, is also collaborating with Sanofi, Novartis, Otsuka and Pfizer to help them identify suitable patients for clinical drug trials.³¹

To boost drug sales even further, Verily is working with Walgreens to deploy a “medication adherence” project, in which patients are equipped with devices to ensure they’re taking their medication as prescribed.³²

Amazon also plays a part in the drug adherence scheme with its recent buyout of Pillpack, an online pharmacy that offers prepackaged pill boxes with all the different medications you’re taking.

According to Yahoo! Finance, Amazon is also planning to develop at-home medical testing devices, and is rolling out the option to make medical-related purchases from Amazon using your health savings account. All of these things generate health-related data points that can then be used for other purposes, be it personalized marketing or insurance premium decisions.

Have You Had Enough of Google’s Privacy Intrusions Yet?

Add to all of this data mining the fact that Google is actively manipulating search results and making decisions about what you’re allowed to see and what you’re not based on its own and third party interests — a topic detailed in a November 15, 2019 Wall Street Journal investigation.³³ The dangers ahead should be self-evident.

Now more than ever we must work together to share health information with others by word-of-mouth, by text and email. We have built in simple sharing tools at the top of each article so you can easily email or text interesting articles to your friends and family.

My information is here because all of you support and share it, and we can do this without Big Tech’s support. It’s time to boycott and share! Here are a few other suggestions:

Like Waking Times on Facebook. Follow Waking Times on Twitter.