The Seventh Circuit recently rejected a series of class action claims against Google and the University of Chicago Medical Center alleging that the medical center improperly sold patient health information to the tech giant, which, in conjunction with Google’s other data, could be used to reveal patient identities and other sensitive information. The court’s July 11, 2023 decision is a major win for privacy compliance officers, whose jobs have become increasingly arduous with the proliferation of new privacy laws and the potential for significant consequences for violations.
In Dinerstein v. Google and The University of Chicago Medical Center, No. 1:19-cv-04311, the plaintiff was a patient at the university medical center in 2015. Plaintiff owned a smartphone containing Google applications and maintained a Google account that allegedly collected and transmitted his geolocation to Google. Two years later, the university and Google entered into a data partnership, with Google receiving anonymized health records for research purposes.
Plaintiff sued Google and the university, alleging that, among other things, the university had breached the contractual obligations within its privacy notice, and Google impermissibly was capable of re-identifying patients because of its vast data network. The district court dismissed Plaintiff’s consumer-fraud claim for lack of standing and the remaining claims on various state law grounds. 484 F. Supp. 3d 561 (N.D. Ill. Sept. 4, 2020).
On appeal, the Seventh Circuit affirmed the judgment, concluding that all claims failed for lack of standing.
First, the court denied Plaintiff’s common law privacy claim, noting that it was skeptical of a “public-disclosure tort premised on the dissemination of anonymized information” and that Plaintiff had failed to plausibly allege that anonymization in this case was deficient. “At most, he alleges that some personally identifying information ‘may have evaded redaction’”—an unsupported hypothetical.
The court also rejected Plaintiff’s contention that the combination of data within the medical records alongside geolocation and demographic data sourced from smartphone apps created the “perfect formulation” for later re-identification. This too was deemed to be a hypothetical risk of future, anticipated harm.
Second, the court found Plaintiff also lacked standing to bring his contract claim arguing that the university’s Notice of Privacy Practices and Outpatient Agreement and Authorization that he signed upon admittance to the medical center “contractually obligated the [u]niversity to safeguard his medical information. In his view, transferring his medical records to Google was a flagrant breach of that obligation.”
The court rejected this claim as implausible, noting that Plaintiff “signed a release” giving express consent that his medical information could be used for research. (The Seventh Circuit did not reject or explicitly accept Plaintiff’s argument that the Notice of Privacy Practices was a contractual agreement with a patient. Even if the notice was a contract, Plaintiff nonetheless failed to prove contractual damages. The court concluded that a contractual breach, without actual damages, was insufficient to confer standing.)
This is a significant decision for privacy and medical professionals alike. The court rejected speculative claims that pointed only to the possibility that anonymized or pseudonymized data could be used to re-identify plaintiffs. As such, the data holder was not held accountable for merely possessing the data or allegedly having the capability to re-identify the subject: there must be some bad intent or actual bad act.
Additionally, the decision underscores the importance of having a HIPAA-compliant Notice of Privacy Practices and making sure that adequate notices are given to patients to explain what information is collected, how the information is processed, and what the information may be used for.
Plaintiff failed to show that Google took actions to use the data to re-identify patients; there was no evidence that the anonymization process was faulty; and the university had policies and procedures in place designed to give notice to patients. “Put simply, [Plaintiff] seeks to invoke the power of the federal courts to challenge the lawfulness of an event that caused him no harm.” By taking adequate precautions to safeguard patient data and provide notice about its potential uses, Google and the university avoided potentially significant damages.
To learn more about the case’s impact and its implications for businesses, contact a Morgan Lewis healthcare or privacy lawyer.