Here’s The Blow-By-Blow Account Of Google’s Nightingale Nightmare; Health Data Harvesting Project Spurs Federal Inquiry

Google, in partnership with one of the largest health-care systems, has been collecting health-data of millions of American citizens without their consent. As part of this project, called Nightingale, US healthcare provider Ascension was providing Google access to private health information such as lab results, diagnoses, records of hospitalization and dates of birth of nearly 50 million Americans without their doctor’s consent. Ascension is a Catholic network of more than 2,600 sites of care – including 150 hospitals and more than 50 senior living facilities – in 20 states and the District of Columbia. 

Earlier this year in July, Google had mentioned about this partnership in its Q2 2019 Earnings Call, but not in much detail. However, it was only after The Wall Street Journal first reported the news that both the companies announced more details about this project. The privacy-breaching ambit of this project drew massive backlash from the public as well as prominent figures. 

U.S. Senator Amy Klobuchar (D-MN) released an official statement following the WSJ report, expressing “privacy concerns” regarding the project. U.S. Senator Lisa Murkowski also tweeted her concern regarding this partnership. She stated, “Like many Americans, I’m concerned to hear about details surrounding the so called Project Nightingale and its gathering of personal health data for millions of people. Privacy protections, particularly when it comes to personal info like your health, is a high priority of mine.”


Sign up for your weekly dose of what's up in emerging technology.

After the WSJ report, an anonymous whistleblower who works in Project Nightingale also expressed concern and anger regarding the project and the fact that the patients are being kept in the dark. The person also posted a video on social media platform Daily Motion that disclosed hundreds of images of confidential documents pertaining to Project Nightingale. However, the video has been taken down by the platform citing “breach of the Terms of Use”. 

The Guardian also published an op-ed written by the anonymous whistleblower wherein the person mentioned, “I grew increasingly concerned about the security and privacy aspects of the deal. It became obvious that many around me in the Nightingale team also shared those anxieties.”

“Above all: why was the information being handed over in a form that had not been “de-identified” – the term the industry uses for removing all personal details so that a patient’s medical record could not be directly linked back to them? And why had no patients and doctors been told what was happening?” the person added.

The Nightingale Nightmare For Google

Amidst all the backlash and public outrage, the Leaders of the House Committee on Energy and Commerce have written to the CEOs of Ascension and Google, requesting briefings from the companies on Project Nightingale by December 6. The companies will brief the Committee on the following:

1. What data Ascension is sharing with Google?

2. How is the data being used and shared?

3. The extent to which employees at Google and its parent company Alphabet have access to this information. 

4. The extent to which patients were informed about the use and sharing of their data.

5. What steps are being taken to protect the privacy and security of patients’ data?

“While we appreciate your efforts to provide the public with further information about Project Nightingale, this initiative raises serious privacy concerns. For example, longstanding questions related to Google’s commitment to protecting the privacy of its own users’ data raise serious concerns about whether Google can be a good steward of patients’ personal health information,” the Committee leaders mentioned in the letter.

Project Nightingale is also facing a federal inquiry. The Office for Civil Rights in the Department of Health and Human Services “will seek to learn more information about this mass collection of individuals’ medical records to ensure that HIPAA protections were fully implemented.” 

In response to the federal inquiry, Tariq Shaukat, President, Industry Products and Solutions, Google Cloud said in a blog post, “We are happy to cooperate with any questions about the project. We believe Google’s work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and comes with strict guidance on data privacy, security, and usage.”

Dr. A. C. Sharma is a  general surgeon and has worked with the UP govt for almost 40 years. He retired as the Joint Director of State Medical and Health Services, Uttar Pradesh. He told Analytics India Magazine that data pertaining to a person’s health as well as to his/her medical condition is highly personal and private. “The law also dictates that any information that is shared between a patient and the doctor regarding health or disease is considered a “ Privileged Communication” and either the person’s consent or a judicial order is a must for such data to be divulged or accessed. Therefore, in my opinion, such an act of accessing private health data is wrong.”

The Hype Surrounding HIPAA

The Health Insurance Portability and Accountability Act or HIPAA is a federal law that regulates the privacy and security of protected health information and data. Under the US law, any health information that contains an identifying element (name, social security number, telephone number, email address, street address, among others) that can be linked back to a specific patient is referred to as Protected health information (PHI).

According to Shaukat, “All of Google’s work with Ascension adheres to industry-wide regulations (including HIPAA) regarding patient data, and come with strict guidance on data privacy, security and usage. We have a Business Associate Agreement (BAA) with Ascension, which governs access to Protected Health Information (PHI) for the purpose of helping providers support patient care.”

Shaukat also claimed that “This is standard practice in healthcare, as patient data is frequently managed in electronic systems that nurses and doctors widely use to deliver patient care.” 

Although, he ensured that as per this partnership, “Ascension’s data cannot be used for any other purpose than for providing these services we’re offering under the agreement, and patient data cannot and will not be combined with any Google consumer data.”

“Based on what I see in media reports, I think that Google and Ascension have probably complied with HIPAA (US health privacy law) at least within the letter of the law.  They have structured this so that it is designed to provide data used to improve the care of Ascension patients and would thus be deemed quality improvement—or related to care.”

Margaret Riley, a law professor at the University of Virginia with extensive expertise in the areas of healthcare law and bioethics, told Analytics India Magazine

“The problem that I have is that the size and scope of the endeavor feel more like research to me.  It is not clear who owns the data and algorithms that are being produced. Unless you are eligible for a waiver of consent, research requires consent and that, since they argue they aren’t doing research, has not been obtained,” she added.

“I have always believed that data will become ubiquitous. The value is not in the data but what you do with the data. Google has already dominated the internet of information, now they clearly want to dominate the internet of health. In the past, Google was indexing webpages and websites and thereafter would present your search results. In the future, they will start indexing your health data and figuring out what is most relevant for you.”

Talking about the importance of data and the impact of Google on this domain to Analytics India Magazine, Vishal Gondal, Founder, and CEO of GOQii said

Shaukat claims that “the goal of the partnership is to enhance the experience of patients and clinical providers across the continuum of care, improving outcomes and saving lives.” 

According to Shaukat, Ascension is moving its infrastructure to Google Cloud and its productivity software to G Suite. The non-profit health system is also working with Google to pilot tools designed for doctors and nurses to utilize for patient care. “Specifically, we are piloting tools that could help Ascension’s doctors and nurses more quickly and easily access relevant patient information, in a consolidated view,” Shaukat claimed. 

Gondal also believes that this partnership will improve hospital operations and reduce overall medical costs. “How Google manages and uses this treasure trove of data will be of keen interest,” he stated.

After being subjected to scrutiny regarding the security and privacy aspects of the Project, both the companies leapt into troubleshooting mode and divulged more information on this partnership, as well as their intent behind this deal. Google published the blog post detailing the facts about the deal, along with FAQs addressing the details around the project and how it protects patient data.

Ascension, on the other hand, issued a press release sharing the company’s perspective and role. “As the healthcare environment continues to rapidly evolve, we must transform to better meet the needs and expectations of those we serve as well as our own caregivers and healthcare providers,” said Eduardo Conrado, Executive Vice President, Strategy and Innovations, Ascension. 

He went on to add, “Doing that will require the programmatic integration of new care models delivered through the digital platforms, applications and services that are part of the everyday experience of those we serve.”

Harrows Of Health-data Harvesting

However, this isn’t the first time that Google is in hot water with matters concerning healthcare data. Back in 2017, Google, the University of Chicago and an affiliated medical center announced a partnership wherein University of Chicago Medical Center will share patient data with the tech giant in order to utilize the unused data goldmine available in the form of electronic health records and come up with better predictive analysis in medicine.

In July, this year, Google, the medical center, and the University of Chicago were sued in a potential class-action lawsuit that accused the University of sharing private health data with Google without the consent of the patients, even after the former “promised in its patient admission forms that it would not disclose patients’ records to third parties, like Google, for commercial purposes.”

Also, the claims made by the tech giant and the University that the medical records were de-identified were “incredibly misleading”. 

In another case of Google’s concerning health-data harvesting endeavor, the company entered into a  data-sharing agreement with UK’s state-run National Health Service that allowed Google-owned artificial intelligence company DeepMind access to a vast amount of health-data of more than 1.6 million patients, as part of a research program. 

The Fitbit Conundrum 

Earlier this month, Google announced that it has entered into a definitive agreement to acquire wearable and fitness tracking company Fitbit for over $2.1 billion. In a blog post, Rick Osterloh

Senior Vice President, Devices & Services, Google mentioned, “By working closely with Fitbit’s team of experts, and bringing together the best AI, software and hardware, we can help spur innovation in wearables and build products to benefit even more people around the world.”

With this acquisition, Google will gain access to the health-data of more than 28 million active users of Fitbit devices. This has raised concerns among politicians and privacy and anti-trust activists; some of whom are even calling for a block on this acquisition by reaching out to the Federal Trade Commission. 

Democratic Congresswoman Katie Porter from California tweeted, “Google is under anti-trust investigation and is gobbling up Fitbit — a company that stores some of our most private health data. It’s time for anti-trust enforcers to do their jobs instead of keeping us all under the rule of monopolies.”

While Representative David Cicilline, Chairman of the House Judiciary antitrust subcommittee, during a subcommittee hearing on antitrust in digital markets, said, “Google’s proposed acquisition of Fitbit would threaten to give it yet another way to surveil users and entrench its monopoly power online.”

However, Osterloh mentioned in the blog post that Google will never sell personal information to anyone. “Fitbit health and wellness data will not be used for Google ads. And we will give Fitbit users the choice to review, move, or delete their data,” he said.

Wearing Your Health Data On Your Sleeve

We, as users of health-tracking apps and devices, offer access to our personal health information to these companies in return for their health-monitoring benefits.

U.S. Senator Amy Klobuchar (D-MN), believes that the collaboration between Google and Ascension is not the only one that raises concern. “New technologies have made it easier for people to monitor their own health, but health tracking apps, wearable technology devices like Fitbits, and home DNA testing kits have also given companies access to your private health data with very few rules of the road in place regulating how it is collected and used,” she said in a statement. 

Riley believes that we do provide access to our personal health information all the time, and when outside of the HIPAA context (which is the case with most wearables) privacy interests are governed by contract and most users simply click through.  She opines that as users, we don’t really engage in a full discussion regarding the risks and consequences. Privacy is often discussed without a parallel discussion about various aspects such as the benefits of sharing data, who ends up owning the data and it’s consequences, and what alternatives we might pursue as a society.  

The market for wearable tech in India is also booming. According to research firm International Data Corporation, the market for wearable devices more than doubled in the second quarter of 2019, registering an all-time high of 3 million shipments. “This has further cemented India’s position as the third-largest wearables market in the world after China and the USA,” said IDC. 

“We are seeing a shift in lifestyle devices segment wherein consumers are adopting new kind of devices to track their health and fitness that is reflecting in the uptake of the wearables segment. Brands continue to augment newer health tracking features and increasingly spending on marketing, and this is helping wearables to become one of the preferred choices amongst the fitness enthusiasts to support an active lifestyle,” said, Jaipal Singh, Associate Research Manager, Client Devices, IDC India.

In the affordable wearable segment in India, GOQii is a major player, along with Xiaomi. Talking about the steps taken by GOQii to ensure the safety of its user health data, Gondal said, “We use large, aggregated, anonymized data sets, from over millions of users, collected over a length of time, to generate health and fitness trends and insights. We then compile this information into a report, which we make publicly available.”

He went on to explain that since the data that GOQii collects is voluminous and anonymized, health data of any single individual cannot be inferred from the data sets. The company uses this research to devise strategies to make the app better at providing more relevant health and fitness information. Additionally, GOQii claims to comply with international standards such as  HIPPA and ISO 27001. 

“At Ciitizen we believe the best way to address patient data privacy is by putting patients in charge of their own data and letting them consent as to how and with whom it is shared,”

Premal Shah, President & Co-Founder of Ciitizen told Analytics India Magazine

California-based Ciitizen is a consumer health tech company that offers a platform that helps patients collect, organize, and share their medical records digitally. “While tech hacks are something, that all organizations need to pay careful attention to, the breach that people are most concerned about is a breach of trust, not of technology. When a patient controls the movement of their own health data they know exactly how their health data is being used,” Shah added.

The health-tech market in India is evolving and is on an upward trajectory. According to research and analytics platform Tracxn, as of September 2019, there 2,975 health-tech startups in India. A potential health data privacy breach could really put a damper on the growth of heath-tech in India and also make the general public apprehensive of using the services of these startups. 

“Client health data is very important and confidentiality of the same needs to be protected at all costs.”

According to Dr. Geetha Manjunath, Cofounder and CEO of Niramai

Niramai is an AI-driven cancer detection startup that uses a secure storage system for storing patient data in an anonymized and encrypted form. Also, the company doesn’t take any personally identifiable information (PII) from the patient and so once in the data store, there is no way to trace back to the patient with just that information in the datastore (without hospital interaction). 

Talking about the steps that should be taken by Health-tech companies like Niramai and healthcare regulatory authorities to ensure that private health data stays private and is not misused, she said, “It is important for health tech companies to maintain the integrity of patient data and protect the confidentiality of health information.  Patient data should also not be misused against the patient. For example, if the data is used to gain insights about the patients and then those insights are used against them in increasing insurance premium and such. One way of protecting the user from such threats is to completely anonymize the data and only allow the health tech companies to use abstract information to gain insights about the community, or use it for research and build better predictive models which will further benefit all patients.”

“I think regulatory authorities should insist on companies to document the data operating procedures in their Quality Management Systems and ensure implementation of the same through regular inspections and audits. CE mark, ISO 13485 and GDPR requirements provide such broad guidelines, which I think all health tech companies need to follow strictly,” she added. 

More Great AIM Stories

Rahul Raj
Rahul is a Delhi-based journalist/amateur photographer/story-teller/entrepreneur. He loves cheesecakes, puppies, minimalistic designs, mountains and traveling with his camera. He has previously worked with media organizations such as Inc42, Tech In Asia, and Times Internet. You can reach him at with news tips, story ideas, feedback, and insights.

Our Upcoming Events

Conference, in-person (Bangalore)
Machine Learning Developers Summit (MLDS) 2023
19-20th Jan, 2023

Conference, in-person (Bangalore)
Rising 2023 | Women in Tech Conference
16-17th Mar, 2023

Conference, in-person (Bangalore)
Data Engineering Summit (DES) 2023
27-28th Apr, 2023

Conference, in-person (Bangalore)
MachineCon 2023
23rd Jun, 2023

Conference, in-person (Bangalore)
Cypher 2023
20-22nd Sep, 2023

3 Ways to Join our Community

Whatsapp group

Discover special offers, top stories, upcoming events, and more.

Discord Server

Stay Connected with a larger ecosystem of data science and ML Professionals

Subscribe to our newsletter

Get the latest updates from AIM