Project Nightingale: What Does Google Know About Your Health?


Google has access to the health records of millions of people in 21 states. Most patients are uninformed.

The Wall Street Journal reports Google’s ‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans.

Google is engaged with one of the U.S.’s largest health-care systems on a project to collect and crunch the detailed personal-health information of millions of people across 21 states.

The initiative, code-named “Project Nightingale,” appears to be the biggest effort yet by a Silicon Valley giant to gain a toehold in the health-care industry through the handling of patients’ medical data. Inc., Apple Inc. and Microsoft Corp. are also aggressively pushing into health care, though they haven’t yet struck deals of this scope.

Google began Project Nightingale in secret last year with St. Louis-based Ascension, a Catholic chain of 2,600 hospitals, doctors’ offices and other facilities, with the data sharing accelerating since summer, according to internal documents.

The data involved in the initiative encompasses lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, including patient names and dates of birth.

Neither patients nor doctors have been notified. At least 150 Google employees already have access to much of the data on tens of millions of patients, according to a person familiar with the matter and the documents.

Federal Inquiry Underway

A Federal Inquiry into Google’s ‘Project Nightingale’ is now underway.

Google’s project with the country’s second-largest health system to collect detailed health information on 50 million American patients sparked a federal inquiry and criticism from patients and lawmakers.

The Office for Civil Rights in the Department of Health and Human Services “will seek to learn more information about this mass collection of individuals’ medical records to ensure that HIPAA protections were fully implemented,” the office’s director, Roger Severino, said.

Ascension, without notifying patients or doctors, has begun sharing with Google personally identifiable information on millions of patients, such as names and dates of birth; lab tests; doctor diagnoses; medication and hospitalization history; and some billing claims and other clinical records.

Ascension has more than 2,600 facilities like hospitals and nursing homes in 21 states and Washington, D.C.

Conceptual images of the software under construction show an interface much like Google’s flagship search engine. Begin to type in a first name, and Google will produce a drop-down menu featuring other patients with similar names. A single click reveals metabolic data, medications, phone numbers and even the patient’s temperature.

The concept gave some Ascension patients pause.

Google and Ascension have signed what is known as a business associate arrangement, which specifies when a health-care vendor can access patient data. Ascension retains ownership of the data, people familiar with the matter said. Neither Google nor Ascension would give details on who at Google can access data.

HIPAA Violation?

Please consider What Information is Protected Under HIPAA Law?

HIPAA laws protect all individually identifiable health information that is held by or transmitted by a HIPAA covered entity or business associate. According to the Department of Health and Human Services’ Office for Civil Rights there are 18 identifiers that make health information personally identifiable. When these data elements are included in a data set, the information is considered protected health information and subject to the requirements of the HIPAA Privacy, Security and Breach Notification Rules.

Information may be disclosed to third parties for those purposes, provided an appropriate relationship exists between the disclosing covered entity and the recipient covered entity or business associate. A covered entity can only share PHI with another covered entity if the recipient has previously or currently has a treatment relationship with the patient and the PHI relates to that relationship. In the case of a disclosure to a business associate, a business associate agreement must have been obtained. In all cases, the minimum necessary standard applies. Disclosures must be restricted to the minimum necessary information that will allow the recipient to accomplish the intended purpose of use.

The following information is protected under HIPAA law:

  1. Names
  2. Addresses (including subdivisions smaller than state such as street, city, county, and zip code)
  3. Dates (except years) directly related to an individual, such as birthdays, admission/discharge dates, death dates, and exact ages of individuals older than 89
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate and license numbers
  12. Vehicle identifiers
  13. Device identifiers and serial numbers
  14. Website URLs
  15. IP addresses
  16. Biometric identifiers, including fingerprints, voice prints, iris and retina scans
  17. Full-face photos and other photos that could allow a patient to be identified
  18. Any other unique identifying numbers, characteristics, or codes

Who Has Access to What?

There may be more than a bit of a problem here, depending on how the data is stored and shared and what access Google has to it.

"At least 150 Google employees already have access to much of the data on tens of millions of patients, according to a person familiar with the matter and the documents."

Note that "prior to any use or disclosure of health information that is not expressly permitted by the HIPAA Privacy Rule, one of two steps must be taken."

  1. A HIPAA authorization must be obtained from a patient, in writing, permitting the covered entity or business associate to use the data for a specific purpose not otherwise permitted under HIPAA.
  2. The health information must be stripped of all information that allow a patient to be identified.

Sign Here Please

"Neither Google nor Ascension would give details on who at Google can access data."

Does anyone even know?

Did Ascension get signatures from all its patients?

If so, did they have any idea what they were signing?

Mike "Mish" Shedlock

Comments (19)
No. 1-15

Sounds like Ascension outsourced their medical records to a group owned by or inside Google. If my guess is correct that Ascension got a very good price for the service, those who an animated by medical costs may want to hold their venom on this one.

Speaking of horror, there is probably not a computer person alive who has:

  1. Had contact with or had information about medical records.

  2. Not been horrified.


When you signed your agreement with your MD, likely something like 3-5 pages of fine print, rest assured that somewhere in there you accepted your MD's organization to share your data with partners as long as they also agreed to follow HIPAA law.

And here is an article you may want to read:

What Do You Know About Me? It’s way too difficult to find out what data companies are collecting about you. Nov 11, 2019


Is this not socialism/communism?? Where are the red scare posters regarding this hells bells moment in time?


Makes sense. Healthcare is a mess, its bloody expensive and accounts for something like 12% of US GDP. The other issue (not mentioned anywhere) is that computer diagnostics are on the way...for many patients now the amount of data available is "too much" for clinicians -- and a computer is indifferent if there are 10 or 200 data points. The second issue is that healthcare providers are always looking for ways to cut guess is that the Google/Facebook/Amazon services are very very cheap (because of the big data implications).

I will guess that you will find Amazon and Facebook here too. their bread and butter is data -- and this is a vast untapped resource for them.

Also, don't underestimate the value of the data for patient care and "choice" as it may be. People forget the unintended consequence of data crunching.


Anybody that wants that data already had it. Corporate security is a bad joke.


What Does Google Know About Your Health? I don't think they know much. I have Medicare Advantage with Kaiser. I am a huge fan of KP.


As in any totalitarian, and getting ever more so, hellhole: Increasingly, the only real cash flow available to those connected, come by way of forced transfers. Health care is a prime conduit for this, since the pliable indoctrinati have by now been rendered sufficiently clueless that they can be reliably counted on to fall for the idiocy that there is something "special" about one guy doing another one a service, as long as some half literate but well connected hack has arbitrarily classified that service as a "health care" one. So, then it is suddenly OK for the government to stampede all over freedoms, because "thiiiiz tiiiime iiiiits diiiiiferent."

As always, once the government, and it's institutions; like courts, central banks, legislatures etc.; is involved; the way to maximize shareholder value, is always to focus on having those institutions take from others and hand to you. Rather than to attempt creating something said others are willing to pay for voluntarily, uncoerced and despite their ability to decline not being impeded in any meaningful way.

So the former is what companies like Google, Amazon and the rest, will focus ever more of their resources on accomplishing: Inserting themselves into value chains where the ultimate payer for the "service" rendered, is to the greatest extent possible rendered unable to fully decide whether, and whom, to pay or not. Instead he is simply being de facto forced to contribute to the rent seeking by all manners of "experts" other connecteds, whose authority ultimately rests on nothing more than government's assymetrical access to guns.


Apparently California is going to fund training on how to discuss gun "safety" with their patients.

I am not aware of doctors discussing vehicle or other non medical safety with patients.


In many ways it actually sucks that medical records are so fragmented and provider systems don't talk to each other very well/consistently. A long line of companies have been trying to become the de facto central aggregator of health records in the US for decades. I was working on an attempt at a big online medical info site 15 years ago. What became clear is that only a mega player like a Microsoft or a Google has a chance of becoming that central aggregator -- if it is possible at all, given exactly this kind of push-back from the public.

It would be extremely surprising if Google wasn't all over HIPAA compliance in this project. Ignoring or skirting HIPAA requirements in that space is unthinkable. Most likely Jojo is right that there is some fine print somewhere that these patients signed at some time, that Google's lawyers can argue allows this project to slurp their records. We have probably ALL signed that same crap multiple times, if you've ever been to a doctor.

Country Bob
Country Bob

Since plenty of identifying information is being given to Google, and patients did not give consent -- they were not even informed -- Google's legal argument is tenuous at best.

More importantly, Google doesn't even try to justify their unethical behavior -- they have no case there at all. They jumped straight to a legal defense because there is no ethical defense.

Hundreds of Google employees who have no medical need to know can now search a patients name and find out if that patient has embarassing medical treatments. Imagine if the gays in San Fransisco (aka Google-land) realized their medical history was available to the public -- they don't get to come out to their parents or decide who knows about their HIV status, the decision belongs to a faceless corporation with no ethics and a slimy compliance department. Google employees would be livid if they were treated the way they are treating Ascension patients. That is the relevant metric, not whether an ambulance chaser can find a loophole in HIPPA law.

Doctors in the Ascension system now have a major problem. Even if Google's ambulance chasers find a way to weazel out of legal liability, doctor patient trust has been destroyed. Anything you tell your doctor will be on Google servers within 24 hours, so don't tell your doctor anything you don't want to be neighborhood gossip.


If HIPAA cannot prevent this abuse, then it is worthless.

I won't pretend that I know if this project is HIPAA-compliant, I am not a lawyer. But I do know that Google and its partners and customers can identify individuals from the data they are collecting. With Google's access to loads of personal data, a quick search would suffice.


Google is in it for the money. No matter what benefits and progress they will be touting about great new possibilities, the bottom line is that they will find ways to leverage it so that they are making money, most of which will be a transfer of costs to other people in hidden and obscure ways.

Global Economics