Getty Images/iStockphoto

Patient Data Privacy Lawsuit Against Google, UChicago Dismissed

A Judge ruled to dismiss the patient data privacy lawsuit brought against Google and UChicago, as the patient failed to adequately demonstrate what damages were caused by the partnership.

The patient data privacy lawsuit brought against Google and the University of Chicago Medical Center was dismissed by a federal judge in Illinois on September 4, ruling that patient who filed the suit against the entities failed to adequately demonstrate the damages suffered as a result of the partnership. 

The ruling is a big win for Google, currently facing backlash over a similar partnership with Ascension. Patients argue the collaboration would give the tech giant troves of sensitive data without patient consent -- in direct violation of HIPAA. 

Google and Ascension have repeatedly stressed the partnership followed HIPAA-guidelines, but it prompted a massive privacy debate on the need for Congress to take action on gaps in the outdated regulation. 

The UChicago and Google partnership was announced in 2017: a machine learning project for its electronic medical records data designed to improve healthcare outcomes. Through the partnership, the provider hoped to reduce unplanned hospital readmissions and potential care complications. 

Filed by Matt Dinerstein in June 2019, the class-action lawsuit accused the entities of violating patient privacy by allegedly sharing thousands of patient records without first removing personal identifiers, such as provider notes. Dinerstein was a patient of UChicago twice in 2015 and argued the health center did not first obtain consent to share his data with Google, nor did they notify patients of the process. 

At the core of Dinerstein’s argument was a 2018 study published in Nature’s npj Digital Medicine on a Google study that analyzed data from UChicago Medicine and the University of California San Francisco. The found that although the data was deidentified, free-text health notes and dates of service were maintained. 

Both Google and UChicago have stressed that the patient data was deidentified for the project. But the lawsuit claimed that clinician notes and timestamps were also shared with the tech giant.  

According to the suit, "While tech giants have dominated the news over the last few years for repeatedly violating consumers’ privacy, Google managed to fly under the radar as it pulled off what is likely the greatest heist of consumer medical records in history.” 

In response, Google and UChicago denied all claims, stressing that the project was solely focused on advancing healthcare, improving patient outcomes, and finding cures for diseases, as well as improving the lives of patients. Further, HIPAA guidelines were followed during the contracting process. 

“That research partnership was appropriate and legal, and the claims asserted in this case are baseless and a disservice to the Medical Center’s fundamental mission of improving the lives of its patients,” a UChicago Medicine spokesperson said at the time. 

Both Google and UChicago filed motions to dismiss, which a federal judge upheld on Friday, "arguing that Dinerstein has not adequately alleged a basis for standing in his amended complaint.” Dinerstein would have needed to demonstrate that he suffered a concrete, particularized, or actual, imminent injury caused by the partnership that “would likely be redressed by the requested judicial relief.”  

For example, Dinerstein argued that the parties breached the contract. And while both parties had authority on the issue, Google and UChicago were deemed to have the better argument. Namely, “breach of contract, without monetary harm, does not confer standing.” 

“The weight of authority supports the conclusion that Dinerstein’s allegation that the University breached an express contract is sufficient for Article III standing purposes,” according to the lawsuit. “Standing, however, ‘is not dispensed in gross.’ To the contrary, ‘a plaintiff must demonstrate standing for each claim he seeks to press and for each form of relief that is sought.’”  

“The alleged invasion of Plaintiff’s privacy is an injury in fact that can support his claim of intrusion upon seclusion,” it continued.  “Dinerstein seems to suggest that the statutes at issue here—HIPAA and the MPRA—also create a legal interest in his health information... [but] has cited no authority supporting the proposition that HIPAA or the MPRA creates a property interest in health data.” 

As a result, the patient did not develop or provide enough supporting information to support that the contract signed between Dinerstein and UChicago created a legal interest in his data. Further, the allegations fail to support his argument that the value of his data has been diminished by the Google partnership. 

Lastly, the patient’s assertion that Google or UChicago “would have agreed to pay him a royalty if they had negotiated in good faith for his medical records,” but the judge ruled that Dinerstein did not lose anything of value as a result of the alleged misconduct. 

“An initial matter is whether an alleged violation of HIPAA can support a breach of contract claim at all. The statute does not create a private right of action,” the judge concluded. “The University is correct that courts in other jurisdictions have held that a HIPAA claim cannot be pursued as a breach of contract claim—that is, a contract claim cannot be used to create a right of action that Congress declined to establish.” 

“Plaintiff has not pleaded that defendants failed to comply with the requirements of such regulations,” he added. “Instead, he argues that he need not do so at this stage because the safe harbors are affirmative defenses and Defendants’ compliance with their requirements can be determined only after discovery.... the court believes the defendants have the better view.”

Next Steps

Dig Deeper on HIPAA compliance and regulation