Google has secretly accessed the personal health records of tens of millions of individuals in 21 states, according to a new report from the Wall Street Journal.
The tech giant has partnered with St. Louis-based Ascension, the country’s second-largest health system, in an initiative called Project Nightingale to gain access to lab results, doctor diagnoses, and hospitalization records, as well as other categories.
Google is reportedly using the data in part to design new software that helps suggest different avenues of care for individual patients.
Neither patients nor doctors have been notified about Google’s activity, according to the Journal. An anonymous source said that at least 150 Google employees already have gained access to “much of the data on tens of millions of patients.”
Privacy experts told the Journal that Google’s actions appear to be legal under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HIPAA rules allow hospitals to share data with business partners without telling patients, as long as the information is used “only to help the covered entity carry out its health-care functions,” according to the Journal.
A Google spokeswoman told the newspaper that the project is fully compliant with federal health law and includes “robust protections” for patient data.
The Journal noted that some Ascension employees have raised questions about the way the data is being collected and shared, according to documents.
Google has come under fire over its privacy practices that critics say often leaves users’ personal information exposed.
The search engine was recently ordered to pay between $150 and $200 million to resolve a Federal Trade Commission investigation into YouTube regarding its potential violation of a children’s privacy law.
Google has also pledged to do more to protect the privacy of users of its voice-activated Google Assistant devices after reports said that company contractors listened in on parts of private conversations.