JAYAPAL PRESSES GOOGLE ON HEALTH DATA COLLECTION
Jayapal is a member of the House Judiciary Subcommittee on Antitrust, Commercial and Administrative Law
WASHINGTON, DC – U.S. Representative Pramila Jayapal (WA-07), a member of the House Judiciary Subcommittee on Antitrust, Commercial, and Administrative Law, pressed Google and its parent company about their health care data collection activities. In a letter addressed to Alphabet Inc. CEO Larry Page, Google CEO Sunday Pichai, and Google Cloud’s Tariq Shaukat, Jayapal requested information on how the companies use the health data they collect and the procedures they have in place to protect that data.
Jayapal’s letter follows a report in The Wall Street Journal earlier this month that Google and its parent company, Alphabet, Inc., failed to adequately protect consumers’ sensitive health information and have incentives to commoditize individual health data shared through apps they acquire.
“As Google and parent company Alphabet have engaged in an ever-widening acquisition of the highly personal health-related information of millions of people, Americans now face the prospect of having their sensitive health information handled by corporations who may misuse it. I am especially concerned that your company has not provided sufficient assurances that this sensitive data will be kept safe, and that patients’ data is being acquired by your companies without their consent and without any opt-out provision,” wrote Jayapal. “The fact that Google makes the vast majority of its revenue through behavioral online advertising—creating an incentive to commoditize all user information—renders the company’s expansion into health services all the more troubling.”
“People’s lives, bodies and healthcare are precious and merit extreme sensitivity. When people seek medical advice or track their healthcare, they expect privacy. In recent polls, people in the U.S. have expressed serious concerns as to whether companies such as yours can be trusted to keep their sensitive information safe, and the public deserves to receive answers to the questions raised in this letter,” concluded Jayapal.
The full text of the letter is pasted below.
Larry Page, CEO, Alphabet, Inc.
Sundar Pichai, CEO, Google
Tariq Shaukat, President, Industry Products and Solutions, Google Cloud
1600 Amphitheatre Parkway
Mountain View, California 94043
Dear Mr. Page, Mr. Pichai, and Mr. Shaukat:
I write to express my concern about Google’s expansion into health services to collect the health data of millions of Americans. People are at their most vulnerable when they seek medical help and must be able to trust that their sensitive health-related information will be treated with the utmost confidentiality. Recognizing this fact, Congress has passed laws requiring medical professionals to keep patient information confidential, including the Health Insurance Portability and Accountability Act and sections of the Patient Protection and Affordable Care Act. As Google and parent company Alphabet have engaged in an ever-widening acquisition of the highly personal health-related information of millions of people, Americans now face the prospect of having their sensitive health information handled by corporations who may misuse it. I am especially concerned that your company has not provided sufficient assurances that this sensitive data will be kept safe, and that patients’ data is being acquired by your companies without their consent and without any opt-out provision.
Google and Alphabet, Inc. have engaged in multiple acquisitions and expansions that significantly expand the companies’ access to data. Through Project Nightingale, your companies are likely to acquire over 50 million patient records and gain access to patient data from over 2,600 health care facilities. Your companies are also working to acquire Fitbit, thereby gaining the health-related data of 25 million people. Medical Brain, your health-focused artificial intelligence unit, is also actively acquiring access to patient data. Alphabet, Inc. also recently announced a partnership with the Mayo Clinic. In the UK, Google acquired DeepMind, an AI startup, and later transferred DeepMind’s UK healthcare data processing contracts over to Google. On a recent investor call, Mr. Pichai also told investors, “Health is a vertical…in which we have a whole Google Health team focused on understanding the in-depth experience that would give a better experience overall on Search.”
There have been multiple incidents that cause me to have serious concerns about Google and Alphabet, Inc.’s ability to properly safeguard sensitive health and medical information. A whistleblower working on Project Nightingale raised concerns that personally identifiable healthcare “data was being haphazardly transferred to Google without proper safeguards and security in place.” Google almost posted pictures of 100,000 people’s chest x-rays before realizing that these photos contained personally identifying information. And at least one pending lawsuit alleges that a major medical facility passed over personally identifiable medical records to your companies. In the UK, Google’s DeepMind was found by the Information Commissioner to have failed to comply with the UK’s Data Protection Act when it relied on patient data to develop new apps. The fact that Google makes the vast majority of its revenue through behavioral online advertising—creating an incentive to commoditize all user information—renders the company’s expansion into health services all the more troubling.
I request that you provide written responses to the following questions by January 5, 2020:
- What confidential health information and medical data do Alphabet, Inc. and Google currently have access to?
- What is your plan to prevent leaks, hacks and public releases of personally identifying medical information?
- Would you commit to adopting an opt-in regime, whereby Alphabet would have to obtain a user’s consent before accessing their health or medical information, rather than imposing on users an opt-out regime?
- Describe the current means by which people can opt out of having their personally identifying medical information acquired by Google and Alphabet, Inc. Please identify each specific step that a user would need to take to ensure these opt-outs.
- Describe the current means by which people can opt out of having their medical and health data acquired by Google and Alphabet, Inc. Please identify each specific step that a user would need to take to ensure these opt-outs.
- Describe your plans to create new means by which people can opt of out having health data; medical data and personally identifying medical information acquired by Google and Alphabet, Inc.
- What share of your current revenues comes from handling, analyzing, storing or otherwise accessing health data; medical data and personally identifying medical information?
- What share of your projected 2020 revenues come from handling, analyzing, storing or otherwise accessing health data; medical data and personally identifying medical information?
- Given that Google makes the vast majority of its revenue through monetizing user data, why should the public trust that Google or Alphabet will not monetize users’ medical or health information?
People’s lives, bodies and healthcare are precious and merit extreme sensitivity. When people seek medical advice or track their healthcare, they expect privacy. In recent polls, people in the U.S. have expressed serious concerns as to whether companies such as yours can be trusted to keep their sensitive information safe, and the public deserves to receive answers to the questions raised in this letter.
Thank you for your attention to this matter.
# # #
Issues: Science, Technology, & Antitrust