throbber
Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 1 of 45 PageID #:286
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE NORTHERN DISTRICT OF ILLINOIS, EASTERN DIVISION
`
`MATT DINERSTEIN, individually and on behalf of
`all others similarly situated,
`
`
`
`Case No. 1:19-cv-04311
`
`Hon. Rebecca R. Pallmeyer
`
`Plaintiff,
`
`
`v.
`
`
`GOOGLE, LLC, a Delaware limited liability company,
`and THE UNIVERSITY OF CHICAGO MEDICAL
`CENTER, an Illinois not-for-profit corporation, THE
`UNIVERSITY OF CHICAGO, an Illinois not-for-
`profit corporation,
`
`
`Defendants.
`
`
`
`AMENDED CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`
`Plaintiff Matt Dinerstein brings this Amended Class Action Complaint and Demand for
`
`Jury Trial against Defendant Google, LLC (“Google”), and against Defendants The University of
`
`Chicago Medical Center, and The University of Chicago (collectively referred to as the
`
`“University” or “University of Chicago”). Plaintiff, individually and on behalf of all others
`
`similarly situated, alleges as follows upon personal knowledge as to himself and his own acts and
`
`experiences, and, as to all other matters, upon information and belief.
`
`NATURE OF THE ACTION
`
`1.
`
`While tech giants have dominated the news over the last few years for repeatedly
`
`violating consumers’ privacy, Google managed to fly under the radar as it pulled off what is
`
`likely the greatest heist of consumer medical records in history. The compromised personal
`
`information is not just run-of-the-mill like credit card numbers, usernames and passwords, or
`
`even social security numbers, which nowadays seem to be the subject of daily hacks; rather, the
`
`personal medical information sold to Google by the University of Chicago is the most sensitive
`
`1
`
`

`

`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 2 of 45 PageID #:287
`
`and intimate information in an individual’s life, and its unauthorized disclosure is far more
`
`damaging to an individual’s privacy.
`
`2.
`
`Beginning in or around 2016, Google set in motion a plan to make its most
`
`significant play in the healthcare space. This plan had two key components: (1) obtain the
`
`Electronic Health Record (“EHR”) of nearly every patient from the University of Chicago
`
`Medical Center from 2009 to 2016; and (2) file a patent for its own proprietary and commercial
`
`EHR system that wouldn’t be published until well after it had obtained hundreds of thousands of
`
`EHRs from the University.
`
`3.
`
`EHRs contain patients’ highly sensitive and detailed medical records, including
`
`records revealing not only a person’s height, weight and vital signs, but whether they suffer from
`
`diseases like AIDS, cancer, sickle cell, depression, sarcoidosis, or diabetes, or went through a
`
`medical procedure like an abortion, transplant, or mastectomy. In short, EHRs are the most
`
`personal and sensitive information that exist about a person.
`
`4.
`
`The disclosure of EHRs here is even more egregious because the University
`
`promised in its patient admission forms that it would not disclose patients’ records to third
`
`parties, like Google, for commercial purposes. Nevertheless, the University did not notify its
`
`patients, let alone obtain their express consent, before selling their confidential medical records
`
`to Google as part of a research study.
`
`5.
`
`In an attempt to provide the public a false sense of security over the legitimate
`
`privacy concerns with these practices, Google and the University claimed the medical records
`
`were de-identified. But that’s incredibly misleading. The records the University provided Google
`
`2
`
`

`

`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 3 of 45 PageID #:288
`
`included detailed datestamps1 and copious free-text notes. As shown below, Google—as one of
`
`the most prolific data mining companies—is uniquely able to determine the identity of almost
`
`every medical record the University released.
`
`6.
`
`This ability is only increased by and through Google’s direct subsidiary,
`
`DeepMind, an international leader in artificial intelligence machine learning. In the year
`
`following Google’s massive medical data grab, it fully absorbed and took control of a division of
`
`DeepMind known as “DeepMind Health,” for the specific purpose of analyzing medical records
`
`and creating commercial products. Google’s access to DeepMind’s technology allows it to find
`
`connections between various data points (i.e. from EHRs and Google users’ data).
`
`7.
`
`Google spent the last decade attempting to gain a foothold in the trillion-dollar per
`
`year healthcare industry. But, to develop the type of healthcare technologies most in line with its
`
`data analytics and mining platforms, Google needed access to massive amounts of identifiable
`
`medical records. To a company like Google—best known for its ubiquitous search engine, but in
`
`reality, one of the largest data mining companies in the world—access to that type of data is
`
`extremely elusive.
`
`8.
`
`To be sure, Google’s overtures for such detailed and identifiable records from
`
`hospitals, researchers, and healthcare providers alike were all uniformly rebuffed. That is, of
`
`course, until Google came across The University of Chicago.
`
`9.
`
`The University provided Google a partner willing to turn over the information that
`
`it desperately needed. Indeed, the University—seeking not much more than notoriety for its
`
`collaboration with Google in the development of healthcare products—was happy to turn over
`
`
`The term “datestamp,” in the medical field, is inclusive of both date and time.
`1
`Datestamps in the University’s electronic medical record system are stored as the number of
`seconds since midnight on December 31, 1840.
`
`3
`
`

`

`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 4 of 45 PageID #:289
`
`the confidential, highly sensitive and HIPAA-protected records of every patient who walked
`
`through its doors between 2009 and 2016. Ultimately, by getting the University to turn over
`
`these records, Google quietly pulled off a feat that other tech giants (like Facebook) have had to
`
`abandon under mounting public pressure for other gross privacy violations.2
`
`10.
`
`In exchange for confidential patient medical records, Google agreed to provide
`
`the University with a perpetual license to use the software it developed. Other than this limited
`
`license, Google kept all intellectual property rights to the software it developed using patients’
`
`medical information, including the right to commercialize the software later. To put it another
`
`way: Google paid the University for medical information (that rightfully belongs to patients) by
`
`providing a license to its proprietary software.
`
`11.
`
`The arrangement with the University allowed Google to begin developing
`
`software that it can market to hospitals looking improve their bottom lines. Google’s product can
`
`be sold at premium prices because it targets areas that are very expensive for hospitals: “future
`
`healthcare utilization,” “emergency department visit[s],” “encounter cost of care,” and—
`
`critically—“hospital readmission.” Readmission in particular is an important matter for hospitals,
`
`because Medicare reduces payments to hospitals that have excess readmissions for common
`
`conditions such as heart failure or pneumonia.3 On information and belief, the software Google is
`
`developing using Plaintiff’s and Class members’ private medical information is worth more than
`
`$10,000,000.
`
`
`Facebook sent a doctor on a secret mission to ask hospitals to share patient data, CNBC,
`2
`https://www.cnbc.com/2018/04/05/facebook-building-8-explored-data-sharing-agreement-with-
`hospitals.html?cid=sm_npd_nn_tw_ma (last visited on October 2, 2019).
`3
`Centers for Medicare & Medicaid Services, Hospital Readmissions Reduction Program
`(HRRP), https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-
`Instruments/Value-Based-Programs/HRRP/Hospital-Readmission-Reduction-Program.html (last
`visited on October 2, 2019).
`
`4
`
`

`

`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 5 of 45 PageID #:290
`
`12.
`
`And as if all of this weren’t bad enough, the University also engaged in a cover up
`
`to keep the breach out of the public eye so as to avoid the public backlash. The cover up is
`
`particularly egregious because the University had a legal duty to inform its patients and the
`
`authorities of the unauthorized transfer of their medical records to Google. While this type of
`
`public misinformation campaign may be expected from a tech company that has been known to
`
`play fast and loose with the information of its customers, the fact that a prominent institution like
`
`The University of Chicago would act in such a way is truly stunning.
`
`13.
`
`Accordingly, this Complaint seeks all appropriate damages and injunctive relief to
`
`address, remedy, and prevent further harm to Plaintiff and the Class resulting from Defendants’
`
`gross misconduct.
`
`PARTIES
`
`14.
`
`15.
`
`Plaintiff Matt Dinerstein is a natural person and a citizen of the State of Illinois.
`
`Defendant Google, LLC, is a limited liability company existing under the laws of
`
`the State of Delaware, with its principal place of business located at 1600 Amphitheatre
`
`Parkway, Mountain View, California 94043.
`
`16.
`
`Defendant The University of Chicago Medical Center is a not-for-profit
`
`corporation existing under the laws of the State of Illinois, with its principal place of business
`
`located at 5841 South Maryland Avenue, Chicago, Illinois 60637.
`
`17.
`
`Defendant The University of Chicago is a not-for-profit corporation existing
`
`under the laws of the State of Illinois, with its principal place of business located at 5801 South
`
`Ellis Avenue, Chicago, Illinois 60637.4
`
`
`The University of Chicago Medical Center and The University of Chicago are fully
`4
`integrated entities that have acted jointly in this case. The University of Chicago Medical Center
`and The University of Chicago are jointly managed and share employees.
`
`5
`
`

`

`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 6 of 45 PageID #:291
`
`JURISDICTION & VENUE
`
`18.
`
`This Court has subject matter jurisdiction under 28 U.S.C. § 1332(d)(2) because
`
`(i) at least one member of the Class is a citizen of a different state than any Defendant, (ii) the
`
`amount in controversy exceeds $5,000,000, exclusive of interests and costs, and (iii) none of the
`
`exceptions under that section apply.
`
`19.
`
`This Court has personal jurisdiction over Defendants because they conduct
`
`business in this District and the wrongful conduct giving rise to this case occurred in, was
`
`directed to, or emanated from this District. This Court further has personal jurisdiction over
`
`Defendants The University of Chicago Medical Center and The University of Chicago because
`
`they are headquartered in this District.
`
`20.
`
`Venue is proper in this District under 28 U.S.C. § 1391(b) because Defendants
`
`The University of Chicago Medical Center and The University of Chicago maintain their
`
`headquarters and principal place of business in this District, and a substantial part of the events
`
`giving rise to Plaintiff’s Complaint occurred in this District.
`
`FACTUAL BACKGROUND
`
`Detailed and Identifiable Medical Records are the Most Valuable Consumer Data,
`and the Hardest to Obtain.
`
`21. With the rise of the data mining industry, corporations have started gathering
`
`I.
`
`
`
`untold amounts of data regarding consumers’ daily lives, including what they do on their phones,
`
`and computers, where they travel each day, and even what they purchase in retail stores. From
`
`this, data miners and brokers can build detailed portfolios about consumers that are then bought
`
`and sold for a variety of purposes.
`
`22.
`
`A key component of any data portfolio is the status of a consumer’s health. While
`
`data points such as purchase histories, search engine and browsing histories, as well as social
`
`6
`
`

`

`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 7 of 45 PageID #:292
`
`media posts can provide insight into certain health problems, a clear picture of a consumer’s
`
`health remains largely a black hole for data miners. The only substantial remedy to this problem
`
`is access to detailed and complete medical records.
`
`23.
`
`A multi-billion-dollar industry has arisen in response to this need.5 Pharmacies,
`
`insurance companies, and other medical organizations—including federal and many state health
`
`departments—provide limited medical information to data brokers. Three quarters of all retail
`
`pharmacies send some portion of their electronic records to these companies. While this data is
`
`largely de-identified, data brokers are able to make numerous assumptions about the data in
`
`order to make it into a marketable product.6
`
`24.
`
`These data points are often incomplete in other ways beyond de-identification. In
`
`most instances, the data points are merely a snapshot of a small part of a consumer’s overall
`
`health (e.g., a specific prescription or a single ailment, etc.). This type of data will rarely, if ever,
`
`show a complete medical history or in-depth accounting of medical ailments and procedures over
`
`time.7 That data, largely contained only in the records of doctors and hospitals, is far more rare
`
`and is viewed as a “Holy Grail” of health information for any data miner.8
`
`
`How Data Brokers Make Money Off Your Medical Records, SCIENTIFIC AMERICAN,
`5
`https://www.scientificamerican.com/article/how-data-brokers-make-money-off-your-medical-
`records (last visited on October 2, 2019).
`6
`Your private medical data is for sale – and it's driving a business worth billions, THE
`GUARDIAN, https://www.theguardian.com/technology/2017/jan/10/medical-data-multibillion-
`dollar-business-report-warns (last visited on October 2, 2019).
`7
`The incredible potential and dangers of data mining health records, THE WASHINGTON
`POST, https://www.washingtonpost.com/news/innovations/wp/2014/10/01/the-incredible-
`potential-and-dangers-of-data-mining-health-records/?utm_term=.f92ac1b63800 (last visited on
`October 2, 2019).
`8
`How Your Medical Data Fuels a Hidden Multi-Billion Dollar Industry, TIME,
`http://time.com/4588104/medical-data-industry (last visited on October 2, 2019); see also The
`Hidden Global Trade in Patient Medical Data, YALEGLOBAL ONLINE,
`https://yaleglobal.yale.edu/content/hidden-global-trade-patient-medical-data (last visited on
`October 2, 2019).
`
`7
`
`

`

`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 8 of 45 PageID #:293
`
`25.
`
`A complete health record is an extremely sensitive data set that provides insight
`
`into the most personal aspects of an individual’s life. It can shed light on chronic conditions, life-
`
`threatening illnesses, whether a person has addiction issues, disabilities, and issues related to
`
`pregnancy, along with personal details such as sexual preferences, gender nonconformity, and
`
`sexually transmitted diseases.
`
`26.
`
`The details of an individual’s medical history are of significant value to a variety
`
`of interested parties, including employers, schools, governments, insurance companies, lenders,
`
`retail marketers, and obviously, companies in the health care business. These entities can rely on
`
`consumers’ records to make decisions about whether to lend money, how to price insurance
`
`products, whether to hire a person, and even identify reasons to discriminate.
`
`27.
`
`Full medical records are so sensitive, and so sought after, that Congress created a
`
`comprehensive statutory regime, known as the Health Insurance Portability and Accountability
`
`Act (“HIPAA”), to prevent their unauthorized disclosure. HIPAA established rules that require
`
`healthcare organizations to limit who can access, view, or share health data. It is meant to ensure
`
`that any information disclosed to healthcare providers (e.g., doctors and hospitals) and health
`
`plans (e.g., insurance companies), or information that is created by them, is subject to strict
`
`security controls. Patients are also given control over who their information is released to and
`
`who it is shared with.
`
`28.
`
`Besides the obvious obligations that health-care providers, like the University,
`
`have to act in the best interest of their patients’ health, a primary duty of any health care provider
`
`during and long after patients are cared-for—regardless of whether in connection with a run-of-
`
`the-mill visit to the doctor’s office or life-saving trip to the emergency room—is to protect their
`
`privacy and secure their medical records HIPAA.
`
`8
`
`

`

`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 9 of 45 PageID #:294
`
`29. Without HIPAA, data miners like Google, in conjunction with hospitals like the
`
`University, could create a thriving marketplace for medical data. Companies would willingly pay
`
`millions of dollars for complete medical records, which they would analyze, repackage and sell
`
`to thousands of clients.
`
`II.
`
`
`
`The University of Chicago Agreed to Protect the Medical Records of Millions
`of Patients.
`
`30.
`
`As the University is well aware, HIPAA alone isn’t always enough to protect
`
`patient information. At the Google Cloud Next conference in 2017, University of Chicago
`
`Associate Chief Research Informatics Officer Samuel Volchenboum explained to an audience
`
`that supposedly anonymous healthcare data can often be easily matched with other data to
`
`identify the subject of the data. He noted that even taking out the data required to be removed by
`
`HIPAA “might not be enough” to protect a patient’s anonymity and explained in detail how
`
`HIPAA-compliant data could be and had been used to identify individual patients.
`
`31.
`
`The University holds itself out as following the highest standards of patient care
`
`and being among the highest rated and most awarded hospitals in the world,9 claims which
`
`extend to their commitment to patient privacy and the protection of medical data. In keeping with
`
`that promise, the University widely represents that it follows HIPAA and other applicable laws,
`
`takes patient privacy seriously, and describes how it will protect patient medical records.
`
`32.
`
`HIPAA contains no private right of action, meaning that, standing alone, HIPAA
`
`does not provide patients with a way to enforce the privacy of their medical information.
`
`However, the standard agreement the University drafted for its patients to sign before obtaining
`
`treatment goes beyond the requirements of HIPAA. The agreement not only gives notice of the
`
`
`Awards and Accreditations, UChicago Medicine,
`9
`http://www.uchospitals.edu/about/awards/ (last visited on October 2, 2019).
`
`9
`
`

`

`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 10 of 45 PageID #:295
`
`privacy practices, as is required, but it creates an enforceable promise between patients and the
`
`University, promising both that the University will make “all efforts” to protect patients’ privacy
`
`and that the University will only use patients’ medical information in accordance with state and
`
`federal laws, including all patient privacy laws. No applicable law requires the University to
`
`include such promises in its contract with patients.
`
`33.
`
`The records governed by federal and state patient privacy laws are exactly the
`
`type of medical records in the possession of the University. Each time a patient is seen, whether
`
`for a brief outpatient procedure or a month-long in-patient stay, the University collects detailed
`
`information about their current and past health conditions, as well as creates sensitive new data
`
`while the individual is treated. Individuals entrust their most personal information, experiences,
`
`and physical and mental hardships to the medical staff of the University. This can include genetic
`
`information, family health histories, details of sexual encounters, mental illness or a terminal
`
`diagnosis. In return, patients expect that the University will act accordingly and protect their
`
`privacy.
`
`34.
`
`Over decades of operation, the University has collected and stored billions of data
`
`points through millions of patient medical records.
`
`35.
`
`From both a legal and ethical standpoint, it is unquestionable that the University is
`
`obligated to protect patient data, prevent its unauthorized disclosure, and act in the best interests
`
`of its patients. It is equally obvious that the University’s patients do not want, and do not consent
`
`to, the transfer of their medical records to a third-party data miner intent on using them for
`
`commercial purposes.
`
`36.
`
`The obligation to protect patient data at the University is heightened by the socio-
`
`economic makeup of its patients. A significant portion of the patients treated at the University
`
`10
`
`

`

`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 11 of 45 PageID #:296
`
`are socially and economically disenfranchised, making them far less able to vindicate and
`
`advocate for their privacy rights.
`
`IV. An Overview of Google and its Aggressive Efforts to Enter the Trillion-Dollar Per
`Year Healthcare Industry.
`
`37.
`
`Although primarily recognized for its search engine, Defendant Google operates
`
`one of the most far reaching and comprehensive data mining machines in the world. The Wall
`
`Street Journal recently noted that,
`
`Google Analytics is far and away the web’s most dominant analytics platform.
`Used on the sites of about half of the biggest companies in the U.S., it has a total
`reach of 30 million to 50 million sites. Google Analytics tracks you whether or
`not you are logged in. Meanwhile, the billion-plus people who have Google
`accounts are tracked in even more ways. In 2016, Google changed its terms of
`service, allowing it to merge its massive trove of tracking and advertising data
`with the personally identifiable information from our Google accounts…. Google
`also is the biggest enabler of data harvesting, through the world’s two billion
`active Android mobile devices.10
`
`38. With billions of monthly active users, Google has access to an exorbitant amount
`
`of personal consumer data, including Internet web browsing histories (Google Chrome), Internet
`
`searches (Google Search), physical locations (Google Maps and Waze), personal and work email
`
`(Gmail), and mobile devices (Android). This wealth of information feeds into Google’s highly
`
`profitable analytics and advertising platform, which makes up virtually all of its $110.8 billion of
`
`annual revenues.
`
`39. While analytics and advertising are its primary source of income, Google
`
`constantly looks to develop new products and services, and enter new markets. One market it has
`
`been aggressively trying to enter is the trillion-dollar per year healthcare industry.
`
`
`Who Has More of Your Personal Data Than Facebook? Try Google, THE WALL STREET
`10
`JOURNAL, https://www.wsj.com/articles/who-has-more-of-your-personal-data-than-facebook-try-
`google-1524398401 (last visited on October 2, 2019).
`
`11
`
`

`

`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 12 of 45 PageID #:297
`
`a.
`
`Google Research
`
`40.
`
`Over the last decade, Google has invested heavily in health-related products and
`
`services, including:
`
`•
`
`Introducing G Suite (i.e., Gmail, Docs, Drive, Calendar, and other cloud
`services) for healthcare businesses;
`
`• Developing Google Cloud (i.e., Google’s cloud storage and computing
`platform) for HIPAA compliant workloads;
`
`• Creating Google Genomics, which is Google’s cloud platform that analyzes
`and stores massive amounts of human genetic data (i.e., DNA);
`
`• Launching Google Fit, which is a service that monitors individual’s physical
`activity, steps, and caloric intake;
`
`• Adding “symptom search” and “health cards” to Google Search, which allows
`consumers to more easily research answers to common health-related
`questions;11 and
`
`• Making “big bets in healthcare and life sciences” including spending hundreds
`of millions investing in and acquiring healthcare companies like Calico,
`DeepMind, and Verily.
`
`41.
`
`Google also created what it calls its Google Research healthcare team. Google
`
`
`
`
`
`
`
`
`
`
`
`Research is Google’s in-house research center that it markets as an academic-type think tank or
`
`research center (in reality, it’s just a product research and development division). The healthcare
`
`team, in turn, researches opportunities for applying Google technologies—machine learning and
`
`artificial intelligence (“AI”), in particular—to healthcare. According to its marketing materials,
`
`Google’s healthcare team believes:
`
`“AI is poised to transform medicine, delivering new, assistive technologies that will
`empower doctors to better serve their patients. Machine learning has dozens of
`
`In fact, 1 in 20 Google searches are for health-related information. See Prem Ramaswami,
`11
`A remedy for your health-related questions: health info in the Knowledge Graph, GOOGLE (Feb.
`10, 2015), https://googleblog.blogspot.com/2015/02/health-info-knowledge-graph.html (last
`visited on October 2, 2019).
`
`
`12
`
`

`

`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 13 of 45 PageID #:298
`
`possible application areas, but healthcare stands out as a remarkable opportunity. .
`. .”12
`
`42.
`
`Google was especially interested in using its machine learning models to predict
`
`healthcare events, like detecting a patient’s heart attack hours or even days in advance.
`
`43.
`
`But Google had difficulty gaining a foothold in the predictive health analytics
`
`industry. Indeed, Google’s major hurdle to predicting healthcare events, as described above, was
`
`a lack of access to massive amounts of personal health data, which consumers are not eager to
`
`share with data miners and thus, healthcare providers are prohibited from doing so. Google knew
`
`this, so it attempted a work-around.
`
`44.
`
`In 2008, Google attempted to gather consumer medical data by developing a
`
`service that let consumers organize and store their personal health data and medical records on
`
`Google’s platform. The service barely got off the ground, however. After a short period of time,
`
`it was discontinued for a lack of consumer participation.
`
`45.
`
`Thereafter, Google went looking for new avenues of access to patient data.
`
`b.
`
`DeepMind
`
`46.
`
`In 2014, for $520 million, Google acquired a tiny startup named DeepMind that
`
`focused on bringing artificial intelligence and advanced machine learning to, among others, the
`
`healthcare industry.
`
`47.
`
`Following this acquisition, Google, in part through DeepMind, embarked on a
`
`campaign, veiled as well-intentioned research, to obtain millions of medical records from health
`
`care organizations.
`
`48.
`
`Initially, Google and DeepMind participated in a 2015 “study” that processed
`
`
`Healthcare and biosciences, GOOGLE RESEARCH,
`12
`https://research.google.com/teams/brain/healthcare/ (last visited on October 2, 2019).
`
`13
`
`

`

`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 14 of 45 PageID #:299
`
`patient data from the Royal Free NHS Foundation Trust. The medical record sharing there raised
`
`serious concerns about privacy and patient consent. The Information Commissioner’s Office, a
`
`UK data protection watchdog, stated, “[o]ur investigation found a number of shortcomings in the
`
`way patient records were shared for this trial . . . Patients would not have reasonably expected
`
`their information to have been used in this way, and the Trust could and should have been far
`
`more transparent with patients as to what was happening.” It concluded that the agreement with
`
`Royal Free “failed to comply with data protection law.”13
`
`49.
`
`DeepMind, in response, stated “in our determination to achieve quick impact
`
`when this work started in 2015, we underestimated the complexity of the NHS and of the rules
`
`around patient data, as well as the potential fears about a well-known tech company working in
`
`health.”14
`
`50. While their statements were meant to be an apology and included promises to
`
`protect patient privacy, it did not change Google’s course.15
`
`51.
`
`During this time, Google and DeepMind widely propagated the narrative that
`
`DeepMind would continue to operate independently and outside the reach of Google, and that
`
`
`13
`See Royal Free breached UK data law in 1.6m patient deal with Google’s DeepMind,
`THE GUARDIAN, https://www.theguardian.com/technology/2017/jul/03/google-deepmind-16m-
`patient-royal-free-deal-data-protection-act (last visited on October 2, 2019); see also The
`Information Commissioner, the Royal Free, and what we’ve learned,
`https://deepmind.com/blog/ico-royal-free (last visited on October 2, 2019).
`14
`The Information Commissioner, the Royal Free, and what we’ve learned,
`DeepMind.com, https://deepmind.com/blog/ico-royal-free/ (last visited on October 2, 2019).
`15
`Google has since gained access to 700,000 medical records through the US Department
`of Veterans Affairs. It remains unclear, what, if any, consent veterans provided to share their
`medical records with Google or the level of detail included in those records. Researching patient
`deterioration with the US Department of Veterans Affairs, DeepMind.com,
`https://deepmind.com/blog/research-department-veterans-affairs/ (last visited on October 2,
`2019).
`
`
`14
`
`

`

`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 15 of 45 PageID #:300
`
`Google would not have direct access to patient records.
`
`c.
`
`Google’s Commercialization Plans
`
`52.
`
`However, shortly after Google acquired hundreds of thousands of records from
`
`the University of Chicago, that narrative finally fell apart. In November 2018, Google announced
`
`that it would fully absorb and take control of DeepMind Health, separating it from DeepMind
`
`itself.16 As such, any supposed wall protecting health data collected and processed by DeepMind
`
`was gone. And furthermore, Google now has at its disposal all the advanced capabilities
`
`possessed by DeepMind to apply to the health records acquired from the University of
`
`Chicago.17
`
`53.
`
`Additionally, it is clear that the takeover of DeepMind Health was meant to be a
`
`major step toward the full-scale commercialization of Google’s health products. As noted by the
`
`Financial Times:
`
`David Feinberg, the former head of the US private healthcare group Geisinger,
`will run Google Health, drawing together and commercializing the company’s
`disparate experiments in everything from diagnosing cancer to managing chronic
`illness and equipping doctors with more technology… ‘[Feinberg’s] expertise is
`on the operational side of the health payer-provider space, rather than research.
`His role will be to figure out a go-to-market strategy, how to deploy and sell tools
`to hospitals, health insurance carriers and patients,’ said Nikhil Krishnan, health
`analyst at CBInsights, who has authored an in-depth report on Google’s
`
`
`DeepMind Is Handing DeepMind Health Over To Google, FORBES,
`16
`https://www.forbes.com/sites/samshead/2018/11/13/deepmind-is-handing-over-deepmind-health-
`to-google/#6db706b72d55 (last visited on October 2, 2019); Why Google Just Tightened Its Grip
`On DeepMind, Forbes, https://www.forbes.com/sites/parmyolson/2018/11/14/why-google-just-
`tightened-its-grip-on-deepmind/#1aa439552789 (last visited on October 2, 2019).
`17
`Google has a responsibility to protect DeepMind data, Financial Times,
`https://www.ft.com/content/83e1e46c-ebf0-11e8-8180-9cf212677a57 (last visited on October 2,
`2019; Google, DeepMind and my confidential health records, Financial Times,
`https://www.ft.com/content/2ee8c190-ed28-11e8-8180-9cf212677a57 (last visited on October 2,
`2019).
`
`
`15
`
`

`

`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 16 of 45 PageID #:301
`
`healthcare business.18 (Emphasis added).
`
`54.
`
`Predictably, Google’s efforts culminated in a recently revealed patent application
`
`for its own electronic health records system, which “include a computer memory storing
`
`aggregated EHR data from millions of patients; a computer executing deep learning on those
`
`records in a standardized data structure format, and an interface for clinicians displaying salient
`
`facts from the patient’s past and predicted future clinical events.”19 Google submitted this
`
`application in 2017, demonstrating its clear intent to commercialize the University’s medical
`
`records prior to obtaining them. Specifically, as noted below, the application discusses providing
`
`its EHR product in a “fee for service, subscription, standalone product, or other business model.”
`
`
`
`d.
`
`Google is Not Alone in its Pursuit of Medical Records; It is Just the Most
`Successful.
`
`
`55

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket