Google’s ‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans

Google’s ‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans

Maybe Keith Enright Legal Director of Privacy @GOOGLE @ALPHABET isn’t as bad as Hitler but Keith was the next one in line (under Sergi and Brin)  who agreed to do the dirty work of making sure none of us would ever have our Data protected from the companies that sell our data. Who is going to get insurance now when they know everything that happens to us personally and to everyone in our family for all the next generations into the abyss. We are all Fucked !!!!!

Google launched the effort last year with Ascension, the country’s second-largest health system.

It’s all about buying and selling the electronic records they have on all of us!


a Catholic health care system based in St. Louis that operates across 21 states and the District of Columbia.

Eduardo Conrado was Ascension’s chief strategy and innovations officer, a role that ‘starts and ends with people’. September, Ascension named Eduardo Conrado to the system’s newly created position of executive vice president and chief digital officer. In July 2019, he was promoted to executive vice president and chief strategy and innovations officer.

Jacqueline Carberry Baratian joins Ascension as Chief Compliance Officer reporting to Christine Kocot McCoy, JD, Executive Vice President and General Counsel. Jackie has a thorough understanding of compliance and governmental requirements within the rapidly evolving healthcare environment. Currently a Partner at Alston & Bird, LLP, in Washington, D.C., she serves as outside counsel to healthcare industry clients on compliance plan development, implementation and audits, and performs compliance program assessments for hospitals, health systems and post-acute care providers.  She is a member of the American Health Lawyers Association. Before joining the firm in 2016, Jackie served as Vice President & Chief Medicaid Compliance Officer with Aetna in Bethesda, Maryland, where she oversaw Aetna’s Medicaid Compliance Program nationwide

Google’s Cloud servers. The idea was that by using the system, Ascension health providers could use a tool called Patient Search to pull up individual patient pages. According to Forbes, which says it viewed a presentation on the topic, “The page includes complete patient information as well as notes about patient medical issues, test results and medications, including information from scanned documents.”





Keith EnrightLegal Director of Privacy @GOOGLE @ALPHABET

Keith Enright joined Google in March 2011 as Senior Privacy Counsel.

Keith Enright has data. Keith’s data isn’t in the database.

Project Nightingale: Google accesses trove of US patient data

Search giant is amassing health records from Ascension facilities in 21 states; patients not yet informed.


Tech giants like Amazon and Apple are expanding their businesses to include electronic health records — which contain data on diagnoses, prescriptions and other medical information. That’s creating both opportunities and spurring privacy concerns.



Google, University of Chicago named in suit charging misuse of patient data

The class action complaint alleges that, despite being deidentified, Google’s expertise in data mining and AI makes it “uniquely able to determine the identity” of the medical records shared with it by the university.

A lawsuit has been filed by a former patient of UChicago Medicine who claims his medical records – and those of hundreds of thousands of other patients – have been shared with Google without authorization.
UChicago Medicine, UChicago Medical Center, and Google have been named in the lawsuit. The suit claims patient information was shared with Google as part of study aimed to advance the use of artificial intelligence, but patient authorization was not obtained in advance and data were not properly deidentified.

Google’s secret cache of medical data includes names and full details of millions – whistleblower

Google gets green light to access five years of NHS patient data

The extent to which patient data has been shared between an NHS trust in England and AI company

2019 Google is taking over DeepMind’s NHS contracts – should we be worried?

DeepMind was first revealed by New Scientist in 2016 and later ruled that it failed to comply with the law by the data watchdog for failures over informing patients.

A New Scientist investigation raises questions about the basis under which an NHS Trust is sharing patient data with Google’s AI firm

Did Google’s NHS patient data deal need ethical approval?

A New Scientist investigation raises questions about the basis under which an NHS Trust is sharing patient data with Google’s AI firm



The ambition of Google’s parent company Alphabet is to develop new AI tools that can help predict health patterns and improve treatment. Google recently announced plans to buy Fitbit for $2.1bn, aiming to enter the wearables market and invest in digital health.


Google and Ascension have released statements in the wake of the disclosure of Project Nightingale, insisting it conforms with HIPAA and all federal health laws. They said that patient data was protected.

Google Cloud told the Wall Street Journal that the aim was “ultimately improving outcomes, reducing costs, and saving lives”.


In a statement, Ascension said: “All work related to Ascension’s engagement with Google is HIPAA compliant and underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling.”

In the video, the whistleblower begs to disagree. In annotations that run over the leaked documents, they suggest that in future Google might be able to sell or share the data with third parties, or create patient profiles against which they can advertise healthcare products.

“Patients haven’t been told how Ascension is using their data and have not consented to their data being transferred to the cloud or being used by Google. At the very least patients should be told and be able to opt in or opt out,” the whistleblower writes.

How and why should security be tied to HIPAA?

The requirement to comply with one standard or the next does provide a few benefits to your organization. Certain standards leave significant room for interpretation, giving you the ability to tie security measures that should be implemented to a portion of that same standard. When compliance is involved there are now social, political, and legal components added that can be leveraged to implement security controls and process changes that may not have been possible otherwise. It also may present the opportunity to piggyback off another department that has excess budget for a project.
The Health Insurance Portability & Accountability Act (HIPAA) was enacted in 1996 as law and establishes national standards for electronic healthcare records. It includes any organization that stores or processes ePHI (Electronic Protected Health Information) healthcare providers, health plans, and clearinghouses. There are fifty “implementation specifications,” divided into administrative, physical, and technical safeguards. Most specifications listed involve having policies and procedures in place. Addressable specifications involve performing a “risk assessment” and then taking steps to mitigate the risks in a way that’s appropriate for your organization. One of the largest HIPAA penalties against a small organization was levied not because an event occurred, but because the organization failed to address the possibility. Loss of ePHI can cause significant harm to not only the patients whose data has been compromised, but also the provider and individuals at fault as they are required to report violations to the US Department of Health and Human Services (HHS), the Federal Trade Commission (FTC), and are susceptible to extremely large fines and jail time. The HHS provides a breakdown of each portion of the security rule portion of HIPAA and assistance with the implementation of the security standards.


Update on American Medical Collection Agency breach: Almost 12 million Quest Diagnostic patients impacted

Update on American Medical Collection Agency breach: Almost 12 million Quest Diagnostic patients impacted

On May 10, broke the story of a medical collection agency breach involving American Medical Collection Agency.  The breach had been discovered by Gemini Advisory, who informed this site that they had found approximately 200,000 patients’ payment card info for sale on a well-known marketplace. The cards had apparently been compromised between September, 2018 and the beginning of March, 2019.

When AMCA did not respond to Gemini’s notification attempt, Gemini Advisory reported their findings to law enforcement, who then contacted AMCA.

AMCA did not subsequently respond to’s questions about the incident, although by May 10, it was clear that AMCA knew and had been addressing the problem (as screenshots this site published suggested).

Today, ABC news reports that AMCA has reportedly informed Quest Diagnostics that 11.9 million of their patients may be impacted — and that’s just one company. ABC reports:

AMCA believes this information includes personal information, including certain financial data, Social Security numbers, and medical information, but not laboratory test results.

Quest reports that AMCA has not yet provided them or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected.

American Medical Collection Agency breach impacted 200,000 patients – Gemini Advisory

Main Office: pay your bill

Forbidden You don’t have permission to access /webpay on this server.

MORALS & ETHICS: We are compliant with all Federal and State Laws and are members of ACA International. We provide our services adhering to the ethical guidelines expected from a National Accounts Receivable Management firm.

Address: 4 Westchester Plaza
Suite 110
Elmsford, NY 10523

Phone: (800) 666-8097
Fax: (914) 992-8935

Customer Service: (844) 505-DEBT
Client Service: (800) 666-8097, Option 1
Sales: (800) 666-8097, Option 2

On February 28, 2019, Gemini Advisory identified a large number of compromised payment cards while monitoring dark web marketplaces. Almost 15% of these records included additional personally identifiable information (PII), such as dates of birth (DOBs), Social Security numbers (SSNs), and physical addresses. A thorough analysis indicated that the information was likely stolen from the online portal of the American Medical Collection Agency (AMCA), one of the largest recovery agencies for patient collections. Several financial institutions also collaboratively confirmed the connection between the compromised payment card data and the breach at AMCA.

Understanding When Business Associates Are Directly Liable Under HIPAA

New guidance issued by the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) reaffirms that business associates must have proper HIPAA compliance practices, safeguards and documentation in place in order to avoid costly penalties.

OCR recently released a Fact Sheet summarizing the instances in which a business associate is directly liable for HIPAA violations. While nothing in the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (HIPAA Rules) has changed at this time, the Fact Sheet, released on May 24, 2019, aims to make it easier for regulated entities to understand and comply with their obligations under the law.


Direct Liability of Business Associates In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act,1 making business associates of covered entities directly liable for compliance with certain requirements of the HIPAA Rules.  Consistent with the HITECH Act, the HHS Office for Civil Rights (OCR) issued a final rule in 2013 to modify the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules.2  Among other things, the final rule identifies provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable

[ECP] NetHappenings 3/18/19



Office for Civil Rights Headquarters
U.S. Department of Health & Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-800-368-1019
TTD Number: 1-800-537-7697

HHS Releases Voluntary Cybersecurity Practices for Health Industry

GDPR, California’s Consumer Privacy Act, and next-generation ransomware and denial of service attacks, a firm’s ability to provide security is also becoming a matter of survival. Put it all together, and many CISOs today exist in environments where they are not understood by business executives and thus are not being included in business initiatives until it is too late and security vulnerabilities expose the enterprise to cyberattacks and compliance violations.


In 2016, more than 100 million Americans have had their electronic medical records hacked from health systems. For example, this June, Banner Health in Phoenix had a breach of 3.7 million electronic medical records.
Many hospitals throughout the country have been held hostage for their health information system by hackers and have had to pay ransom to regain control of their patients’ medical data.

2016 more than 100 million Americans have had their electronic medical records hacked. Each one can be sold for $50.
The Health Insurance Portability and Accountability Act was written 20 years ago, when medical records were kept on paper, and is not applicable to the contemporary digital era.

Moreover, the pervasive selling of our medical data is unchecked, with no legal protection. The massive hacking of health system data has not resulted in any new legislation to date or enforcement via established laws.

Informed Patient Institute
We rate the websites that help you find the right doctor, hospital, and nursing homes and we provide tips about quality concerns. also see

ProPublica analyzed nearly 17,000 surgeons and found wide variations in complication rates for some of the most routine elective procedures. Explore our database to know more about a surgeon before your operation.

2016 Consumer Reports Medical Board Ratings

Medicare Provider Utilization and Payment Data: Physician and Other Supplier

Digital business has become a key driver to business strategy across industries.
CIOs have digital transformation at the center of their corporate
strategy.  #Cybersecurity, amazingly, is often not a top-tier priority in enterprise risk management. The #CISO, is only noticed when things go wrong. This is why CISOs are almost always fired or “resign” after major data breaches. The CISO is usually the most qualified person to manage post breach forensics, cleanup, and compliance audits.

Think a strong information security posture means you’re complying with HIPAA? Without proper documentation for government regulators, infosec protocols might safeguard data without meeting federal criteria.

Staff lapses and IT system vulnerabilities are key reasons behind SingHealth cyberattack, according to COI Report is a group of online professionals who are committed to exposing corporate wrongdoing and giving consumers the tools they need to fight back. We’ve been reporting on the legal space for nearly a decade and have built relationships with class action and mass tort attorneys across the country.

Prescription Hope
Prescription Hope offers over 1,500 brand-name medications all for the
set price of $50 per month for each medication. This covers 100% of the medication cost, no matter the retail price.

Market Share Matters: Evidence Of Insurer And Provider Bargaining Over Prices
Health-care providers and insurers have to agree on how much doctors will be reimbursed before doctors begin treating insurers’ clients. Those fees, which depend on the two parties’ relative clout. Abstract

A survey of the numbers, published this week in Health Affairs, shows that small-time doctor’s offices and insurance companies are getting squeezed by their larger competitors.

Finally, U.S. hospitals will have to post their prices online.

Hospitals must post ‘chargemaster’ prices online.
Patient Estimate team call  484.337.1970
FAQ Requirements for Hospitals To Make Public a List of Their Standard Charges via the Internet
The chargemaster is not a useful tool for consumers who are comparison shopping between hospitals or health systems.
The chargemaster amounts are billed to an insurance company, Medicare, or Medicaid, and those insurers then apply their contracted rates to the services that are billed. In situations where a patient does not have insurance, our hospital has financial assistance policies that apply discounts to the amounts charged.

A huge trove of medical records and prescriptions found exposed Thousands of health records and doctor’s notes were exposed daily
By Zack Whittaker March 17, 2019 A health tech company was leaking thousands of doctor’s notes, medical records, and prescriptions daily after a security lapse left a server without a password. The little-known software company, California-based Meditab, bills itself as one of the leading electronic medical records software makers for hospitals, doctor’s offices, and pharmacies. The company, among other things, processes electronic faxes for healthcare providers, still a primary method for sharing patient files to other providers and pharmacies. But that fax server wasn’t properly secured, according to the security company that discovered the data. SpiderSilk, a Dubai-based cybersecurity firm, told TechCrunch of the exposed server. The exposed fax server was running a Elasticsearch database with over six million records since its creation in March 2018. The faxes also included personal data and health information on children. None of the data was encrypted. […] Board of Directors responsible


800 West El Camino Real, Suite 350
Mountain View, California 94040
General +1 650 458 2620
Sales +1 650 458 2625

The server was hosted on an subdomain of MedPharm Services, a Puerto Rico-based affiliate of Meditab, both founded by Kalpesh Patel.

NY Governor Cuomo Calls For Investigation on Facebook Health Data Collection

American Travelers Seek Cheaper Prescription Drugs In Mexico And Beyond
In Utah last year, the Public Employee Health Plan took this idea to a new level with its voluntary Pharmacy Tourism Program. For certain PEHP members who use any of 13 costly prescription medications — including the popular arthritis drug Humira — the insurer will foot the bill to fly the patient and a companion to San Diego, then drive them to a hospital in Tijuana, Mexico, to pick up a 90-day supply of medicine.

TechCrunch: Screen time inhibits toddler development, study finds. “In news that will surprise few but still alarm many, a study has found that kids 2-5 years old who engage in more screen time received worse scores in developmental screening tests. The apparent explanation is simple: when a kid is in front of a screen, they’re not talking, walking or playing, the activities during which basic skills are cultivated

Researchers Create Algorithm to Protect Kids from Disturbing YouTube Videos

Computer program that could bypass patents to produce synthetic drugs Software that can bypass current intellectual property and design medication with the same function as top drugs could help pharma companies…

“Massachusetts Attorney General Maura Healey alleges eight Sackler family members and nine Purdue board members or executives played key roles in the nation’s deadly opioid epidemic.