You may love Google for all the convenience and tech advances it’s brought, or fear its size and dominance. No matter your viewpoint, Google is a tech giant and an innovator. Google is 23 this year and much has changed since its founding in 1998. One of the changes has been its growing interest and investment in healthcare.
Google and other tech companies face scrutiny over privacy issues in all their lines of business. In healthcare the issue is magnified with the sensitivity of protected health information (PHI) and state and federal laws designed to protect patient privacy.
Contact Tracing Hopes and Risks
Two individuals who used a California public health COVID-19 contact tracing app have sued Google in U.S. District Court for violating their privacy rights under California law. HIPAA, a federal law, does not provide a private right to sue, but this latest lawsuit follows a string of others where state privacy laws are used to bring cases and seek relief by individuals who believe their privacy was violated. The lawsuit claims the app violates the California Constitution and the California Confidentiality of Medical Information Act.
In 2020 Google and Apple launched the Google-Apple Exposure Notification (GAEN) System to support governments and public health agencies control the spread of the coronavirus. The app uses proximity data gathered from the Bluetooth function of mobile devices and alerts nearby individuals of potential exposure. The two users who sued claim that their protected health information (PHI) was exposed because of a security flaw affecting Android users. Twenty-six other states and territories have launched contact tracing apps that use GAEN.
Early Concerns with Contact Tracing Came to Pass
When the GAEN System was announce in April 2020, a number of privacy experts commented with concerns around user consent, and the use of APIs (application programming interface). The APIs are what allow different devices and pieces of software among devices to talk to one another and share information. The concerns expressed at the beginning have come true, according to claims in the lawsuit:
Because Google’s implementation of GAEN allows this sensitive contact tracing data to be placed on a device’s system logs and provides dozens or even hundreds of third parties access to these system logs, Google has exposed GAEN participants’ private personal and medical information associated with contact tracing, including notifications to Android device users of their potential exposure to COVID-19.
The lawsuit alleges that the GAEN System’s use of “rolling proximity identifiers” on devices’ is recorded by Google’s GMS (globalization management system) records, exposing personal health data to numerous third parties. Because the exposed information is personally identifiable, the information can be used to trace the identifier back to user identities, locations, and other identifiers.
“For those who have reported testing positive, it enables third parties to link that diagnosis back to the particular patient, defeating the purported anonymity Google claims for its service,” the lawsuit claims.
Failure to Protect Privacy is Costly
We are not predicting the outcome of the lawsuit – it was only filed last week and a decision is months away. It appears there was a security flaw though, and Google may have known about it in February 2021, but didn’t tell the public.
The plaintiffs have asked the court to order Google to stop including PHI in its system logs and to stop allowing third parties to have access to them. They also want Google to destroy all PHI it’s acquired or created. The users who sued are asking for damages and restitution, and have requested nationwide class-action status to allow the more than 28 million users who downloaded or activated the app to join the lawsuit. The ultimate outcome could be costly for Google.
The cost is not only measured in dollars. If it were, would this lawsuit register at a company this size? Last year Google reported $181.69 billion in revenue. More than Microsoft ($143.02 billion) but less than Apple ($274.52 billion), two of its competitors. The real cost of this mistake is longer term, in the loss of public trust, the competitive edge given to companies with stronger security, and the potential for stronger privacy regulations, both in the U.S. and abroad.