News of data breaches and
hacks has become common place and will likely increase in an age where digital
information is amassed at an exponential rate [1]. Tech giants like Apple, Amazon, Google and
Facebook partner with the healthcare industry to use personal data from
fitness/health aps and sometimes medical records to create new technology. In a nation that spends $3.5 trillion on
healthcare annually [2], there is a huge market for business and healthcare
providers see the value in tools that can increase the quality of life, better
outcomes and help diagnosis and treat their patients. However, use of this highly sensitive and most
personal data presents ethical issues and legal challenges. While
the data continues to accumulate, the regulations and remedies for violations
of privacy fall behind.
Dinerstein v. Google and the University of Chicago
This past June a
class action was brought against Google and the University of Chicago on behalf
of Matt Dinerstein for what the complaint describes as the “greatest heist of
consumer medical records in history.” In
2017, Google partnered with University of Chicago in a data analytics
project. Hundreds of thousands of
records were released to Google to develop a machine learning model designed to
predict and alert caregivers when a patient is declining. Although data provided by the University of
Chicago to Google was de-identified, the plaintiff argues that because Google
“has untold amounts of data regarding consumers’ daily lives” and is “one of
the largest and most comprehensive data mining companies in the world”
sensitive and private health information could be linked back to the individual
patient. [3]
Google and University of
Chicago filed motions to dismiss the case with prejudice. The defendants argue that the release of
medical record information was allowed per research provisions of HIPAA
regulations, but also that the plaintiff’s claim fails as there is no injury in
fact. While it may be possible
for Google to reidentify individuals, they have not done so, nor do they plan
to do so. “Plaintiff has not alleged the
required constitutional ‘injury-in-fact’ necessary to support Article III standing….even
if Plaintiff satisfied Article III’s requirements, Plaintiff still fails to
state any claim upon which relief may be granted.” [4]
Article III Standing and Privacy Rights
As discussed in class, a civil case does not have standing if
there is no case or controversy. To have
Article III Standing the plaintiff is required to show:
1) Injury in
fact,
2) Causation
(the injury is linked to the defendant’s action); and
3) Redressability
(identify some form of relief that will alleviate the injury caused by the
defendant) [5]
The “injury in fact”
standard is hard-hitting when considering privacy rights. The Supreme Court has said an “injury in
fact” should be concrete and particularized, actual or imminent, and not
conjectural or hypothetical (6). It does
not appear that Dinerstein v. Google would meet this standard. Consider the sensitivity of genetic, mental
health, and substance abuse information disclosed from medical records. Inappropriate use and disclosure could limit
an individual’s ability to obtain health or life insurance, and impact reputation,
ability to obtain employment, and so forth.
Once private information is breached, it can’t be retrieved. The consequences for an individual could be
life altering.
Questions
Is it reasonable that there is no civil remedy for privacy violations
until injury actually occurs?
Should the
Supreme Court take a broader view of standing in consideration of privacy
rights?
Sources:
3- Dinerstein v. Google, No. 1:19-CV-04311,
2019 WL
2627324 (N.D.Ill.) (Trial Pleading)
4- Dinerstein v. Google Case No1:19-CV-04311 – University
of Chicago’s Memorandum in Support of their Motion to Dismiss
5- Manuet & Marcus, Pretrial, 68 (2015)
6- Lujan v. Defenders of Wildlife, 504
U.S. 555, 560-61 (1992)
7- https://www.nytimes.com/2019/06/26/technology/google-university-chicago-data-sharing-lawsuit.html
