`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE NORTHERN DISTRICT OF ILLINOIS, EASTERN DIVISION
`
`MATT DINERSTEIN, individually and on behalf of
`all others similarly situated,
`
`
`
`Case No. 1:19-cv-04311
`
`Hon. Rebecca R. Pallmeyer
`
`Plaintiff,
`
`
`v.
`
`
`GOOGLE, LLC, a Delaware limited liability company,
`and THE UNIVERSITY OF CHICAGO MEDICAL
`CENTER, an Illinois not-for-profit corporation, THE
`UNIVERSITY OF CHICAGO, an Illinois not-for-
`profit corporation,
`
`
`Defendants.
`
`
`
`AMENDED CLASS ACTION COMPLAINT AND DEMAND FOR JURY TRIAL
`
`Plaintiff Matt Dinerstein brings this Amended Class Action Complaint and Demand for
`
`Jury Trial against Defendant Google, LLC (“Google”), and against Defendants The University of
`
`Chicago Medical Center, and The University of Chicago (collectively referred to as the
`
`“University” or “University of Chicago”). Plaintiff, individually and on behalf of all others
`
`similarly situated, alleges as follows upon personal knowledge as to himself and his own acts and
`
`experiences, and, as to all other matters, upon information and belief.
`
`NATURE OF THE ACTION
`
`1.
`
`While tech giants have dominated the news over the last few years for repeatedly
`
`violating consumers’ privacy, Google managed to fly under the radar as it pulled off what is
`
`likely the greatest heist of consumer medical records in history. The compromised personal
`
`information is not just run-of-the-mill like credit card numbers, usernames and passwords, or
`
`even social security numbers, which nowadays seem to be the subject of daily hacks; rather, the
`
`personal medical information sold to Google by the University of Chicago is the most sensitive
`
`1
`
`
`
`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 2 of 45 PageID #:287
`
`and intimate information in an individual’s life, and its unauthorized disclosure is far more
`
`damaging to an individual’s privacy.
`
`2.
`
`Beginning in or around 2016, Google set in motion a plan to make its most
`
`significant play in the healthcare space. This plan had two key components: (1) obtain the
`
`Electronic Health Record (“EHR”) of nearly every patient from the University of Chicago
`
`Medical Center from 2009 to 2016; and (2) file a patent for its own proprietary and commercial
`
`EHR system that wouldn’t be published until well after it had obtained hundreds of thousands of
`
`EHRs from the University.
`
`3.
`
`EHRs contain patients’ highly sensitive and detailed medical records, including
`
`records revealing not only a person’s height, weight and vital signs, but whether they suffer from
`
`diseases like AIDS, cancer, sickle cell, depression, sarcoidosis, or diabetes, or went through a
`
`medical procedure like an abortion, transplant, or mastectomy. In short, EHRs are the most
`
`personal and sensitive information that exist about a person.
`
`4.
`
`The disclosure of EHRs here is even more egregious because the University
`
`promised in its patient admission forms that it would not disclose patients’ records to third
`
`parties, like Google, for commercial purposes. Nevertheless, the University did not notify its
`
`patients, let alone obtain their express consent, before selling their confidential medical records
`
`to Google as part of a research study.
`
`5.
`
`In an attempt to provide the public a false sense of security over the legitimate
`
`privacy concerns with these practices, Google and the University claimed the medical records
`
`were de-identified. But that’s incredibly misleading. The records the University provided Google
`
`2
`
`
`
`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 3 of 45 PageID #:288
`
`included detailed datestamps1 and copious free-text notes. As shown below, Google—as one of
`
`the most prolific data mining companies—is uniquely able to determine the identity of almost
`
`every medical record the University released.
`
`6.
`
`This ability is only increased by and through Google’s direct subsidiary,
`
`DeepMind, an international leader in artificial intelligence machine learning. In the year
`
`following Google’s massive medical data grab, it fully absorbed and took control of a division of
`
`DeepMind known as “DeepMind Health,” for the specific purpose of analyzing medical records
`
`and creating commercial products. Google’s access to DeepMind’s technology allows it to find
`
`connections between various data points (i.e. from EHRs and Google users’ data).
`
`7.
`
`Google spent the last decade attempting to gain a foothold in the trillion-dollar per
`
`year healthcare industry. But, to develop the type of healthcare technologies most in line with its
`
`data analytics and mining platforms, Google needed access to massive amounts of identifiable
`
`medical records. To a company like Google—best known for its ubiquitous search engine, but in
`
`reality, one of the largest data mining companies in the world—access to that type of data is
`
`extremely elusive.
`
`8.
`
`To be sure, Google’s overtures for such detailed and identifiable records from
`
`hospitals, researchers, and healthcare providers alike were all uniformly rebuffed. That is, of
`
`course, until Google came across The University of Chicago.
`
`9.
`
`The University provided Google a partner willing to turn over the information that
`
`it desperately needed. Indeed, the University—seeking not much more than notoriety for its
`
`collaboration with Google in the development of healthcare products—was happy to turn over
`
`
`The term “datestamp,” in the medical field, is inclusive of both date and time.
`1
`Datestamps in the University’s electronic medical record system are stored as the number of
`seconds since midnight on December 31, 1840.
`
`3
`
`
`
`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 4 of 45 PageID #:289
`
`the confidential, highly sensitive and HIPAA-protected records of every patient who walked
`
`through its doors between 2009 and 2016. Ultimately, by getting the University to turn over
`
`these records, Google quietly pulled off a feat that other tech giants (like Facebook) have had to
`
`abandon under mounting public pressure for other gross privacy violations.2
`
`10.
`
`In exchange for confidential patient medical records, Google agreed to provide
`
`the University with a perpetual license to use the software it developed. Other than this limited
`
`license, Google kept all intellectual property rights to the software it developed using patients’
`
`medical information, including the right to commercialize the software later. To put it another
`
`way: Google paid the University for medical information (that rightfully belongs to patients) by
`
`providing a license to its proprietary software.
`
`11.
`
`The arrangement with the University allowed Google to begin developing
`
`software that it can market to hospitals looking improve their bottom lines. Google’s product can
`
`be sold at premium prices because it targets areas that are very expensive for hospitals: “future
`
`healthcare utilization,” “emergency department visit[s],” “encounter cost of care,” and—
`
`critically—“hospital readmission.” Readmission in particular is an important matter for hospitals,
`
`because Medicare reduces payments to hospitals that have excess readmissions for common
`
`conditions such as heart failure or pneumonia.3 On information and belief, the software Google is
`
`developing using Plaintiff’s and Class members’ private medical information is worth more than
`
`$10,000,000.
`
`
`Facebook sent a doctor on a secret mission to ask hospitals to share patient data, CNBC,
`2
`https://www.cnbc.com/2018/04/05/facebook-building-8-explored-data-sharing-agreement-with-
`hospitals.html?cid=sm_npd_nn_tw_ma (last visited on October 2, 2019).
`3
`Centers for Medicare & Medicaid Services, Hospital Readmissions Reduction Program
`(HRRP), https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-
`Instruments/Value-Based-Programs/HRRP/Hospital-Readmission-Reduction-Program.html (last
`visited on October 2, 2019).
`
`4
`
`
`
`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 5 of 45 PageID #:290
`
`12.
`
`And as if all of this weren’t bad enough, the University also engaged in a cover up
`
`to keep the breach out of the public eye so as to avoid the public backlash. The cover up is
`
`particularly egregious because the University had a legal duty to inform its patients and the
`
`authorities of the unauthorized transfer of their medical records to Google. While this type of
`
`public misinformation campaign may be expected from a tech company that has been known to
`
`play fast and loose with the information of its customers, the fact that a prominent institution like
`
`The University of Chicago would act in such a way is truly stunning.
`
`13.
`
`Accordingly, this Complaint seeks all appropriate damages and injunctive relief to
`
`address, remedy, and prevent further harm to Plaintiff and the Class resulting from Defendants’
`
`gross misconduct.
`
`PARTIES
`
`14.
`
`15.
`
`Plaintiff Matt Dinerstein is a natural person and a citizen of the State of Illinois.
`
`Defendant Google, LLC, is a limited liability company existing under the laws of
`
`the State of Delaware, with its principal place of business located at 1600 Amphitheatre
`
`Parkway, Mountain View, California 94043.
`
`16.
`
`Defendant The University of Chicago Medical Center is a not-for-profit
`
`corporation existing under the laws of the State of Illinois, with its principal place of business
`
`located at 5841 South Maryland Avenue, Chicago, Illinois 60637.
`
`17.
`
`Defendant The University of Chicago is a not-for-profit corporation existing
`
`under the laws of the State of Illinois, with its principal place of business located at 5801 South
`
`Ellis Avenue, Chicago, Illinois 60637.4
`
`
`The University of Chicago Medical Center and The University of Chicago are fully
`4
`integrated entities that have acted jointly in this case. The University of Chicago Medical Center
`and The University of Chicago are jointly managed and share employees.
`
`5
`
`
`
`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 6 of 45 PageID #:291
`
`JURISDICTION & VENUE
`
`18.
`
`This Court has subject matter jurisdiction under 28 U.S.C. § 1332(d)(2) because
`
`(i) at least one member of the Class is a citizen of a different state than any Defendant, (ii) the
`
`amount in controversy exceeds $5,000,000, exclusive of interests and costs, and (iii) none of the
`
`exceptions under that section apply.
`
`19.
`
`This Court has personal jurisdiction over Defendants because they conduct
`
`business in this District and the wrongful conduct giving rise to this case occurred in, was
`
`directed to, or emanated from this District. This Court further has personal jurisdiction over
`
`Defendants The University of Chicago Medical Center and The University of Chicago because
`
`they are headquartered in this District.
`
`20.
`
`Venue is proper in this District under 28 U.S.C. § 1391(b) because Defendants
`
`The University of Chicago Medical Center and The University of Chicago maintain their
`
`headquarters and principal place of business in this District, and a substantial part of the events
`
`giving rise to Plaintiff’s Complaint occurred in this District.
`
`FACTUAL BACKGROUND
`
`Detailed and Identifiable Medical Records are the Most Valuable Consumer Data,
`and the Hardest to Obtain.
`
`21. With the rise of the data mining industry, corporations have started gathering
`
`I.
`
`
`
`untold amounts of data regarding consumers’ daily lives, including what they do on their phones,
`
`and computers, where they travel each day, and even what they purchase in retail stores. From
`
`this, data miners and brokers can build detailed portfolios about consumers that are then bought
`
`and sold for a variety of purposes.
`
`22.
`
`A key component of any data portfolio is the status of a consumer’s health. While
`
`data points such as purchase histories, search engine and browsing histories, as well as social
`
`6
`
`
`
`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 7 of 45 PageID #:292
`
`media posts can provide insight into certain health problems, a clear picture of a consumer’s
`
`health remains largely a black hole for data miners. The only substantial remedy to this problem
`
`is access to detailed and complete medical records.
`
`23.
`
`A multi-billion-dollar industry has arisen in response to this need.5 Pharmacies,
`
`insurance companies, and other medical organizations—including federal and many state health
`
`departments—provide limited medical information to data brokers. Three quarters of all retail
`
`pharmacies send some portion of their electronic records to these companies. While this data is
`
`largely de-identified, data brokers are able to make numerous assumptions about the data in
`
`order to make it into a marketable product.6
`
`24.
`
`These data points are often incomplete in other ways beyond de-identification. In
`
`most instances, the data points are merely a snapshot of a small part of a consumer’s overall
`
`health (e.g., a specific prescription or a single ailment, etc.). This type of data will rarely, if ever,
`
`show a complete medical history or in-depth accounting of medical ailments and procedures over
`
`time.7 That data, largely contained only in the records of doctors and hospitals, is far more rare
`
`and is viewed as a “Holy Grail” of health information for any data miner.8
`
`
`How Data Brokers Make Money Off Your Medical Records, SCIENTIFIC AMERICAN,
`5
`https://www.scientificamerican.com/article/how-data-brokers-make-money-off-your-medical-
`records (last visited on October 2, 2019).
`6
`Your private medical data is for sale – and it's driving a business worth billions, THE
`GUARDIAN, https://www.theguardian.com/technology/2017/jan/10/medical-data-multibillion-
`dollar-business-report-warns (last visited on October 2, 2019).
`7
`The incredible potential and dangers of data mining health records, THE WASHINGTON
`POST, https://www.washingtonpost.com/news/innovations/wp/2014/10/01/the-incredible-
`potential-and-dangers-of-data-mining-health-records/?utm_term=.f92ac1b63800 (last visited on
`October 2, 2019).
`8
`How Your Medical Data Fuels a Hidden Multi-Billion Dollar Industry, TIME,
`http://time.com/4588104/medical-data-industry (last visited on October 2, 2019); see also The
`Hidden Global Trade in Patient Medical Data, YALEGLOBAL ONLINE,
`https://yaleglobal.yale.edu/content/hidden-global-trade-patient-medical-data (last visited on
`October 2, 2019).
`
`7
`
`
`
`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 8 of 45 PageID #:293
`
`25.
`
`A complete health record is an extremely sensitive data set that provides insight
`
`into the most personal aspects of an individual’s life. It can shed light on chronic conditions, life-
`
`threatening illnesses, whether a person has addiction issues, disabilities, and issues related to
`
`pregnancy, along with personal details such as sexual preferences, gender nonconformity, and
`
`sexually transmitted diseases.
`
`26.
`
`The details of an individual’s medical history are of significant value to a variety
`
`of interested parties, including employers, schools, governments, insurance companies, lenders,
`
`retail marketers, and obviously, companies in the health care business. These entities can rely on
`
`consumers’ records to make decisions about whether to lend money, how to price insurance
`
`products, whether to hire a person, and even identify reasons to discriminate.
`
`27.
`
`Full medical records are so sensitive, and so sought after, that Congress created a
`
`comprehensive statutory regime, known as the Health Insurance Portability and Accountability
`
`Act (“HIPAA”), to prevent their unauthorized disclosure. HIPAA established rules that require
`
`healthcare organizations to limit who can access, view, or share health data. It is meant to ensure
`
`that any information disclosed to healthcare providers (e.g., doctors and hospitals) and health
`
`plans (e.g., insurance companies), or information that is created by them, is subject to strict
`
`security controls. Patients are also given control over who their information is released to and
`
`who it is shared with.
`
`28.
`
`Besides the obvious obligations that health-care providers, like the University,
`
`have to act in the best interest of their patients’ health, a primary duty of any health care provider
`
`during and long after patients are cared-for—regardless of whether in connection with a run-of-
`
`the-mill visit to the doctor’s office or life-saving trip to the emergency room—is to protect their
`
`privacy and secure their medical records HIPAA.
`
`8
`
`
`
`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 9 of 45 PageID #:294
`
`29. Without HIPAA, data miners like Google, in conjunction with hospitals like the
`
`University, could create a thriving marketplace for medical data. Companies would willingly pay
`
`millions of dollars for complete medical records, which they would analyze, repackage and sell
`
`to thousands of clients.
`
`II.
`
`
`
`The University of Chicago Agreed to Protect the Medical Records of Millions
`of Patients.
`
`30.
`
`As the University is well aware, HIPAA alone isn’t always enough to protect
`
`patient information. At the Google Cloud Next conference in 2017, University of Chicago
`
`Associate Chief Research Informatics Officer Samuel Volchenboum explained to an audience
`
`that supposedly anonymous healthcare data can often be easily matched with other data to
`
`identify the subject of the data. He noted that even taking out the data required to be removed by
`
`HIPAA “might not be enough” to protect a patient’s anonymity and explained in detail how
`
`HIPAA-compliant data could be and had been used to identify individual patients.
`
`31.
`
`The University holds itself out as following the highest standards of patient care
`
`and being among the highest rated and most awarded hospitals in the world,9 claims which
`
`extend to their commitment to patient privacy and the protection of medical data. In keeping with
`
`that promise, the University widely represents that it follows HIPAA and other applicable laws,
`
`takes patient privacy seriously, and describes how it will protect patient medical records.
`
`32.
`
`HIPAA contains no private right of action, meaning that, standing alone, HIPAA
`
`does not provide patients with a way to enforce the privacy of their medical information.
`
`However, the standard agreement the University drafted for its patients to sign before obtaining
`
`treatment goes beyond the requirements of HIPAA. The agreement not only gives notice of the
`
`
`Awards and Accreditations, UChicago Medicine,
`9
`http://www.uchospitals.edu/about/awards/ (last visited on October 2, 2019).
`
`9
`
`
`
`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 10 of 45 PageID #:295
`
`privacy practices, as is required, but it creates an enforceable promise between patients and the
`
`University, promising both that the University will make “all efforts” to protect patients’ privacy
`
`and that the University will only use patients’ medical information in accordance with state and
`
`federal laws, including all patient privacy laws. No applicable law requires the University to
`
`include such promises in its contract with patients.
`
`33.
`
`The records governed by federal and state patient privacy laws are exactly the
`
`type of medical records in the possession of the University. Each time a patient is seen, whether
`
`for a brief outpatient procedure or a month-long in-patient stay, the University collects detailed
`
`information about their current and past health conditions, as well as creates sensitive new data
`
`while the individual is treated. Individuals entrust their most personal information, experiences,
`
`and physical and mental hardships to the medical staff of the University. This can include genetic
`
`information, family health histories, details of sexual encounters, mental illness or a terminal
`
`diagnosis. In return, patients expect that the University will act accordingly and protect their
`
`privacy.
`
`34.
`
`Over decades of operation, the University has collected and stored billions of data
`
`points through millions of patient medical records.
`
`35.
`
`From both a legal and ethical standpoint, it is unquestionable that the University is
`
`obligated to protect patient data, prevent its unauthorized disclosure, and act in the best interests
`
`of its patients. It is equally obvious that the University’s patients do not want, and do not consent
`
`to, the transfer of their medical records to a third-party data miner intent on using them for
`
`commercial purposes.
`
`36.
`
`The obligation to protect patient data at the University is heightened by the socio-
`
`economic makeup of its patients. A significant portion of the patients treated at the University
`
`10
`
`
`
`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 11 of 45 PageID #:296
`
`are socially and economically disenfranchised, making them far less able to vindicate and
`
`advocate for their privacy rights.
`
`IV. An Overview of Google and its Aggressive Efforts to Enter the Trillion-Dollar Per
`Year Healthcare Industry.
`
`37.
`
`Although primarily recognized for its search engine, Defendant Google operates
`
`one of the most far reaching and comprehensive data mining machines in the world. The Wall
`
`Street Journal recently noted that,
`
`Google Analytics is far and away the web’s most dominant analytics platform.
`Used on the sites of about half of the biggest companies in the U.S., it has a total
`reach of 30 million to 50 million sites. Google Analytics tracks you whether or
`not you are logged in. Meanwhile, the billion-plus people who have Google
`accounts are tracked in even more ways. In 2016, Google changed its terms of
`service, allowing it to merge its massive trove of tracking and advertising data
`with the personally identifiable information from our Google accounts…. Google
`also is the biggest enabler of data harvesting, through the world’s two billion
`active Android mobile devices.10
`
`38. With billions of monthly active users, Google has access to an exorbitant amount
`
`of personal consumer data, including Internet web browsing histories (Google Chrome), Internet
`
`searches (Google Search), physical locations (Google Maps and Waze), personal and work email
`
`(Gmail), and mobile devices (Android). This wealth of information feeds into Google’s highly
`
`profitable analytics and advertising platform, which makes up virtually all of its $110.8 billion of
`
`annual revenues.
`
`39. While analytics and advertising are its primary source of income, Google
`
`constantly looks to develop new products and services, and enter new markets. One market it has
`
`been aggressively trying to enter is the trillion-dollar per year healthcare industry.
`
`
`Who Has More of Your Personal Data Than Facebook? Try Google, THE WALL STREET
`10
`JOURNAL, https://www.wsj.com/articles/who-has-more-of-your-personal-data-than-facebook-try-
`google-1524398401 (last visited on October 2, 2019).
`
`11
`
`
`
`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 12 of 45 PageID #:297
`
`a.
`
`Google Research
`
`40.
`
`Over the last decade, Google has invested heavily in health-related products and
`
`services, including:
`
`•
`
`Introducing G Suite (i.e., Gmail, Docs, Drive, Calendar, and other cloud
`services) for healthcare businesses;
`
`• Developing Google Cloud (i.e., Google’s cloud storage and computing
`platform) for HIPAA compliant workloads;
`
`• Creating Google Genomics, which is Google’s cloud platform that analyzes
`and stores massive amounts of human genetic data (i.e., DNA);
`
`• Launching Google Fit, which is a service that monitors individual’s physical
`activity, steps, and caloric intake;
`
`• Adding “symptom search” and “health cards” to Google Search, which allows
`consumers to more easily research answers to common health-related
`questions;11 and
`
`• Making “big bets in healthcare and life sciences” including spending hundreds
`of millions investing in and acquiring healthcare companies like Calico,
`DeepMind, and Verily.
`
`41.
`
`Google also created what it calls its Google Research healthcare team. Google
`
`
`
`
`
`
`
`
`
`
`
`Research is Google’s in-house research center that it markets as an academic-type think tank or
`
`research center (in reality, it’s just a product research and development division). The healthcare
`
`team, in turn, researches opportunities for applying Google technologies—machine learning and
`
`artificial intelligence (“AI”), in particular—to healthcare. According to its marketing materials,
`
`Google’s healthcare team believes:
`
`“AI is poised to transform medicine, delivering new, assistive technologies that will
`empower doctors to better serve their patients. Machine learning has dozens of
`
`In fact, 1 in 20 Google searches are for health-related information. See Prem Ramaswami,
`11
`A remedy for your health-related questions: health info in the Knowledge Graph, GOOGLE (Feb.
`10, 2015), https://googleblog.blogspot.com/2015/02/health-info-knowledge-graph.html (last
`visited on October 2, 2019).
`
`
`12
`
`
`
`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 13 of 45 PageID #:298
`
`possible application areas, but healthcare stands out as a remarkable opportunity. .
`. .”12
`
`42.
`
`Google was especially interested in using its machine learning models to predict
`
`healthcare events, like detecting a patient’s heart attack hours or even days in advance.
`
`43.
`
`But Google had difficulty gaining a foothold in the predictive health analytics
`
`industry. Indeed, Google’s major hurdle to predicting healthcare events, as described above, was
`
`a lack of access to massive amounts of personal health data, which consumers are not eager to
`
`share with data miners and thus, healthcare providers are prohibited from doing so. Google knew
`
`this, so it attempted a work-around.
`
`44.
`
`In 2008, Google attempted to gather consumer medical data by developing a
`
`service that let consumers organize and store their personal health data and medical records on
`
`Google’s platform. The service barely got off the ground, however. After a short period of time,
`
`it was discontinued for a lack of consumer participation.
`
`45.
`
`Thereafter, Google went looking for new avenues of access to patient data.
`
`b.
`
`DeepMind
`
`46.
`
`In 2014, for $520 million, Google acquired a tiny startup named DeepMind that
`
`focused on bringing artificial intelligence and advanced machine learning to, among others, the
`
`healthcare industry.
`
`47.
`
`Following this acquisition, Google, in part through DeepMind, embarked on a
`
`campaign, veiled as well-intentioned research, to obtain millions of medical records from health
`
`care organizations.
`
`48.
`
`Initially, Google and DeepMind participated in a 2015 “study” that processed
`
`
`Healthcare and biosciences, GOOGLE RESEARCH,
`12
`https://research.google.com/teams/brain/healthcare/ (last visited on October 2, 2019).
`
`13
`
`
`
`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 14 of 45 PageID #:299
`
`patient data from the Royal Free NHS Foundation Trust. The medical record sharing there raised
`
`serious concerns about privacy and patient consent. The Information Commissioner’s Office, a
`
`UK data protection watchdog, stated, “[o]ur investigation found a number of shortcomings in the
`
`way patient records were shared for this trial . . . Patients would not have reasonably expected
`
`their information to have been used in this way, and the Trust could and should have been far
`
`more transparent with patients as to what was happening.” It concluded that the agreement with
`
`Royal Free “failed to comply with data protection law.”13
`
`49.
`
`DeepMind, in response, stated “in our determination to achieve quick impact
`
`when this work started in 2015, we underestimated the complexity of the NHS and of the rules
`
`around patient data, as well as the potential fears about a well-known tech company working in
`
`health.”14
`
`50. While their statements were meant to be an apology and included promises to
`
`protect patient privacy, it did not change Google’s course.15
`
`51.
`
`During this time, Google and DeepMind widely propagated the narrative that
`
`DeepMind would continue to operate independently and outside the reach of Google, and that
`
`
`13
`See Royal Free breached UK data law in 1.6m patient deal with Google’s DeepMind,
`THE GUARDIAN, https://www.theguardian.com/technology/2017/jul/03/google-deepmind-16m-
`patient-royal-free-deal-data-protection-act (last visited on October 2, 2019); see also The
`Information Commissioner, the Royal Free, and what we’ve learned,
`https://deepmind.com/blog/ico-royal-free (last visited on October 2, 2019).
`14
`The Information Commissioner, the Royal Free, and what we’ve learned,
`DeepMind.com, https://deepmind.com/blog/ico-royal-free/ (last visited on October 2, 2019).
`15
`Google has since gained access to 700,000 medical records through the US Department
`of Veterans Affairs. It remains unclear, what, if any, consent veterans provided to share their
`medical records with Google or the level of detail included in those records. Researching patient
`deterioration with the US Department of Veterans Affairs, DeepMind.com,
`https://deepmind.com/blog/research-department-veterans-affairs/ (last visited on October 2,
`2019).
`
`
`14
`
`
`
`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 15 of 45 PageID #:300
`
`Google would not have direct access to patient records.
`
`c.
`
`Google’s Commercialization Plans
`
`52.
`
`However, shortly after Google acquired hundreds of thousands of records from
`
`the University of Chicago, that narrative finally fell apart. In November 2018, Google announced
`
`that it would fully absorb and take control of DeepMind Health, separating it from DeepMind
`
`itself.16 As such, any supposed wall protecting health data collected and processed by DeepMind
`
`was gone. And furthermore, Google now has at its disposal all the advanced capabilities
`
`possessed by DeepMind to apply to the health records acquired from the University of
`
`Chicago.17
`
`53.
`
`Additionally, it is clear that the takeover of DeepMind Health was meant to be a
`
`major step toward the full-scale commercialization of Google’s health products. As noted by the
`
`Financial Times:
`
`David Feinberg, the former head of the US private healthcare group Geisinger,
`will run Google Health, drawing together and commercializing the company’s
`disparate experiments in everything from diagnosing cancer to managing chronic
`illness and equipping doctors with more technology… ‘[Feinberg’s] expertise is
`on the operational side of the health payer-provider space, rather than research.
`His role will be to figure out a go-to-market strategy, how to deploy and sell tools
`to hospitals, health insurance carriers and patients,’ said Nikhil Krishnan, health
`analyst at CBInsights, who has authored an in-depth report on Google’s
`
`
`DeepMind Is Handing DeepMind Health Over To Google, FORBES,
`16
`https://www.forbes.com/sites/samshead/2018/11/13/deepmind-is-handing-over-deepmind-health-
`to-google/#6db706b72d55 (last visited on October 2, 2019); Why Google Just Tightened Its Grip
`On DeepMind, Forbes, https://www.forbes.com/sites/parmyolson/2018/11/14/why-google-just-
`tightened-its-grip-on-deepmind/#1aa439552789 (last visited on October 2, 2019).
`17
`Google has a responsibility to protect DeepMind data, Financial Times,
`https://www.ft.com/content/83e1e46c-ebf0-11e8-8180-9cf212677a57 (last visited on October 2,
`2019; Google, DeepMind and my confidential health records, Financial Times,
`https://www.ft.com/content/2ee8c190-ed28-11e8-8180-9cf212677a57 (last visited on October 2,
`2019).
`
`
`15
`
`
`
`Case: 1:19-cv-04311 Document #: 42 Filed: 10/08/19 Page 16 of 45 PageID #:301
`
`healthcare business.18 (Emphasis added).
`
`54.
`
`Predictably, Google’s efforts culminated in a recently revealed patent application
`
`for its own electronic health records system, which “include a computer memory storing
`
`aggregated EHR data from millions of patients; a computer executing deep learning on those
`
`records in a standardized data structure format, and an interface for clinicians displaying salient
`
`facts from the patient’s past and predicted future clinical events.”19 Google submitted this
`
`application in 2017, demonstrating its clear intent to commercialize the University’s medical
`
`records prior to obtaining them. Specifically, as noted below, the application discusses providing
`
`its EHR product in a “fee for service, subscription, standalone product, or other business model.”
`
`
`
`d.
`
`Google is Not Alone in its Pursuit of Medical Records; It is Just the Most
`Successful.
`
`
`55