News Insights: WSJ News Exclusive | Google’s ‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans

News Insights

Tim Erlin, VP, product management and strategy at cybersecurity firm Tripwire,  commented, “There’s no doubt that bigger repositories of sensitive data make bigger targets for attackers, so consumers have every right to be concerned about this move. As with all data driven efforts that require personal data to work, consumers have to weigh the benefits against the risks. Google is a company that’s fundamentally built on data, and healthcare is big business, so it’s hard not to see how this project makes sense.”

Colin Bastable, CEO of security awareness training company Lucy Security, called it “Project Nightmare. He said, “This is yet another reason for Americans not to get sick – the medical companies bankrupt you and then monetize your data as you are on the way to the cemetery. Project Nightmare.  As for the statement ‘underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling,’ how often do we read this sort of nonsense?  How can Ascension ensure that people employed by a third party that is built on exploiting  personal data will adhere to Ascension’s data policies?”

Dov Goldman, Director of Risk and Compliance at Panorays, said, “Recital 4 of the GDPR states that “the processing of personal data should be designed to serve mankind.”  Google’s effort to collect personal health data on millions of Americans, code-named “Project Nightingale,” would seem to be in keeping with that lofty directive. Google and Ascension Health, the second largest US system and the organization providing the information, both stated that this initiative is designed specifically to improve healthcare. The armies of regulators, legislators and public interests scrutinizing Nightingale have thus far reported nothing illegal about the project. Nevertheless, we should be concerned. It’s reported that more than 150 Google staffers have access to data on millions of patients, and Google has other health information projects underway, such as the FitBit fitness product line the web giant purchased recently. Only airtight privacy and information security controls will ensure that Nightingale data is truly safe within Google Cloud and used only for the stated purposes.

It’s good business for Ascension Health to treat Google as a classic third party, and to rigorously assess their privacy and cybersecurity policies and procedures. Ascension must monitor any public-facing Nightingale websites and periodically retest Google’s internal controls for this project. With these foundational best practices in place, Ascension will protect their patients’ privacy and safeguard their reputation as a responsible steward of consumers’ most sensitive data.”