In 2010, top Google executive Eric Schmidt told The Atlantic magazine, "Google policy is to get right up to the creepy line and not cross it. … We know where you are. We know where you've been. We can more or less know what you're thinking about."
Whether it intended to or not, Google has now crossed the creepy line — with ominous implications for patients everywhere. It partnered in a British medical project involving more than 1 million patients that was effectively hidden from the public until recently. The project's lack of concern for privacy and informed consent was blatant exploitation of these patients, and unless greater attention is paid to digital companies entering the health care universe, the public will be at significant risk in the future.
It began, as so many notorious medical experiments do, with ostensibly good intentions. In 2015, Royal Free NHS Foundation Trust, which operates a number of British hospitals, entered into a seemingly benign agreement with a Google subsidiary, DeepMind. In an effort to develop an app to monitor patients at risk of kidney disease, DeepMind was granted access to the health information of 1.6 million patients. The assumption was that this information would be limited to factors related to kidney disease, but there was no explicit mention in the agreement of the nature or amount of data to be collected. Within months, Google-contracted servers were amassing sensitive personal medical information with little relation to kidney disease, from emergency room treatments to details of personal drug abuse.
Until journalists prompted a government investigation, DeepMind accessed the personally identifiable medical records of a large number of patients — with no guarantee of confidentiality, formal research protocol, research approval or individual consent. Also, neither Royal Free nor Google chose to explain why DeepMind, with virtually no health care experience, was selected for this project. Apparently, neither British regulators nor physicians asked any substantive questions.
Only this month did Elizabeth Denham of the United Kingdom Information Commissioner's Office, the ombudsman for Great Britian's medical data, release a statement regarding a probe of the secretive DeepMind deal: "Our investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way, and the trust could and should have been far more transparent with patients as to what was happening."
An admirable, albeit belated, first step by the organization that failed to anticipate the obvious dangers of an arrangement between one of Britain's largest health care providers and the world's dominant data mining and advertising corporation.
There is, of course, a larger issue at stake, one that Denham failed to address. Medical information is the last fragile redoubt of our rapidly eroding personal privacy.
While professing good intentions, Google has an unstated but obvious conflict of interest in data mining of large populations. Did Google have an ulterior motive in collecting medical information of such a huge patient cohort? And more important, when monolithic digital companies like Google, Microsoft, Apple, Facebook, and Amazon, that already control much of our personal and professional activity, enter the health care industry as they inevitably will, who will protect patients' interests?
Once these companies introduce artificial intelligence and proprietary algorithms into medical care, will there be transparency? If not, what recourse will the public have?
One author has likened Google to a one-way mirror — it knows much about us and is learning more every day, but we really know virtually nothing about it. The paramount concern of any medical research is to preserve the rights of patients and subjects, and this one-way mirror does little to ensure that.
After the U.K. Information Commissioner's investigation, DeepMind co-founder Mustafa Suleyman assured the public that new safeguards would be instituted and that the company's goal is to have a positive social impact. We expect him to say that, but the 20th century was replete with notorious studies that were kept secret or justified on the basis of their supposed societal benefit.
If the history of medical ethics has taught us anything, it is that patients do not exist to serve medical science, and that they must never be deprived of the right to control their medical treatment, regardless of researchers' stated beneficence.
Big Data is coming to medicine, and it would be wrong to deny the potential benefits of machine learning and artificial intelligence. But no matter how valuable the promise of these new approaches and how well-intentioned the motives of those responsible, without transparency, safeguards and continual oversight, the seeds of abuse and tragedy are never far away. And here in the United States, will HIPAA, the Health Insurance Portability and Accountability Act, offer sufficient protection?
Be forewarned, the story of Royal Free and Google DeepMind is a clarion call. It is the introductory chapter in a new marriage of health care and digital companies that seek to collect and control medical information.
One is reminded of the warning given to Charles Foster Kane in the film "Citizen Kane": "Only you're going to need more than one lesson, and you are going to get more than one lesson."