Project Nightingale involves the transfer of millions of peoples’ medical records and data across thousands of hospitals nationally. During this transfer, Google is helping Ascension, “the second-largest healthcare provider in the U.S.,” process that data. However, that data is being transferred and processed without the knowledge and consent of doctors and patients.
The whistleblower told The Guardian these were the sparks behind his or her initial reveal about the project: “…over time I grew increasingly concerned about the security and privacy aspects of the deal… Two simple questions kept hounding me: did patients know about the transfer of their data to the tech giant? Should they be informed and given a chance to opt in or out?”
Since the data in question is people’s medical information, the whistleblower told The Guardian that he or she felt that people especially had the right to know how their data is being used: “Data security is important in any field, but when that data relates to the personal details of an individual’s health, it is of the utmost importance as this is the last frontier of data privacy.” He or she also said that every aspect of Project Nightingale should have been “pored over” to make sure it fully followed the HIPAA legislation.
The whistleblower also reveled that he or she was worried that since the medical data collected by Google was being stored in the Cloud, security wouldn’t be as airtight. He or she highlighted the 2013 data breach that Target faced, and invited readers of The Guardian to think about a similar scenario happening with medical data.
As a result of this whistleblower, several Congress members have put Project Nightingale on their radars, and a federal inquiry has been launched to see if HIPAA protections have been followed. The whistleblower told The Guardian that he or she hopes this case will lead to “concrete change,” and that data transfers, particularly those in the medical field, will be made public and monitored “by an independent watchdog.”