Project Nightingale is a data storage and processing project by Google Cloud and Ascension, a Catholic health care system comprising a chain of 2,600 hospitals, doctors' offices and other related facilities, in 21 states, with tens of millions of patient records available for processing health care data. Ascension is one of the largest health-care systems in the United States with comprehensive and specific health care information of millions who are part of its system. The project is Google's attempt to gain a foothold into the healthcare industry on a large scale. Amazon, Microsoft and Apple Inc. are also actively advancing into health care, but none of their business arrangements are equal in scope to Project Nightingale.
In early 2019, Ascension began talks with Google about developing health aggregation software to store and search medical records. The two companies signed a Health Insurance Portability and Accountability Act (HIPAA) business associate agreement, which would allow Ascension to transfer patient data to Google Cloud, and would bar Google from using this data for purposes other than providing services to Ascension. Google first mentioned its project with Ascension in a July 2019 earnings call, which said the partnership was meant to "improve the healthcare experience and outcomes."
The Wall Street Journal first reported on "Project Nightingale" on November 11, 2019, writing that doctors and patients had not been notified of the project and that 150 Google employees had access to patient data. Google Health chief David Feinberg responded to the report in a blog post, saying all employees with access to protected health information went through medical ethics training and were approved by Ascension.
The project raised privacy fears because of Google's involvement in other privacy controversies, like DeepMind's medical data-sharing controversy and a lawsuit against Google and the University of Chicago Medical Center for allegedly processing identifying medical records. Google Cloud executive Tariq Shaukat wrote that patient data gathered from the project "cannot and will not be combined with any Google consumer data."
The data sharing includes patient names and their dates of birth, along with doctor diagnoses, lab results, and hospitalization records, amounting to access to complete electronic health records. Also included in the data sharing are addresses of the patient, family members, allergies, immunizations, radiology scans, medications, and medical conditions. After the patient checks in to the doctor's office, or hospital, or senior center - the doctor and nurse examination results are entered into a computer and uploaded to Google's cloud servers. At this point, the system is then used to suggest treatment plans, recommend replacement or removal of a doctor from the patient's health-care team, and administer policies on narcotics. Ascension, the company sharing data with Google, may also vary their billing according to treatment or procedures.
Soon after The Wall Street Journal reported on Project Nightingale, The Guardian published an account from an anonymous whistleblower who worked on Project Nightingale. This person who raised concerns that patients could not opt in or out of having their records stored on Google's servers, and that the project may not be HIPAA compliant.
The United States Department of Health and Human Services (HHS) launched an inquiry into Google's partnership with Ascension. The investigation will be run by HHS' Office of Civil Rights. Director Roger Severino said, his office "would like to learn more information about this mass collection of individuals' medical records with respect to the implications for patient privacy under [the Health Insurance Portability and Accountability Act of 1996 or HIPAA]."