A U.K. law firm is bringing a class-action style claim over a patient health data scandal that dates back to 2015 and involves the Google-owned AI company DeepMind, after it was quietly passed medical information on more than a million patients by an NHS Trust as part of an app development project.
Law firm Mishcon de Reya announced the legal action today, saying a “representative action” has been filed on behalf of a U.K. citizen, called Mr Andrew Prismall, and the approximately 1.6 million others whose confidential medical records were obtained by DeepMind/Google without their knowledge or consent.
Google and the Royal Free NHS Trust have been contacted for comment on the lawsuit.
Last month TechCrunch reported that Google was pulling the plug on the clinician support app, Streams, which was developed by DeepMind and the London-based Royal Free NHS Trust starting in 2015.
The Streams app was rolled out for use by clinicians at the Royal Free and a handful of other NHS Trusts. However, the Royal Free was sanctioned in 2017 by the U.K.’s data protection watchdog, the ICO, for breaching data protection rules when it passed patients’ sensitive medical information to the Google-owned company during the development phrase of the app.
In a press release today, Mishcon de Reya described the lawsuit as an “important step in seeking to address the very real public concerns about large-scale access to, and use of, private health data by technology companies”.
“It also raises issues regarding the precise status and responsibility of such technology companies in the data protection context, both in this specific case, and potentially more generally,” the firm added.
During the height of the COVID-19 crisis last year, the U.K. government inked a number of health data processing contracts with tech giants, including Google and Palantir — and those deals have also faced concern and criticism over a lack of transparency.
The government is also consulting on whether to reduce the level of data protection afforded to U.K. citizens, as it seeks to diverge from the European Union’s gold standard of privacy by design and default, set out in legislation such as the General Data Protection Regulation (GDPR).
In a statement on why he’s taking the legal action, Prismall said: “Given the very positive experience of the NHS that I have always had during my various treatments, I was greatly concerned to find that a tech giant had ended up with my confidential medical records.
“As a patient having any sort of medical treatment, the last thing you would expect is your private medical records to be in the hands of one of the world’s biggest technology companies. I hope that this case will help achieve a fair outcome and closure for all of the patients whose confidential records were obtained in this instance without their knowledge or consent.”
Mishcon partner Ben Lasserson, who is leading the case, added: “This important claim should help to answer fundamental questions about the handling of sensitive personal data and special category data. It comes at a time of heightened public interest and understandable concern over who has access to people’s personal data and medical records and how this access is managed.”
A spokeswoman for Mishcon de Reya confirmed to us that it has issued the claim in the U.K. High Court.
Asked about whether the claimant is seeking financial damages and/or asking for the data to be deleted she said she was unable to provide any more information at this early stage.
Most of the NHS Trusts that inked five-year deals with DeepMind to use the Streams software — contracts which subsequently transitioned to Google’s health division, after the company took over DeepMind Health in 2018 — told us they had terminated their arrangements when we asked them about their use of the app last month, as it emerged Google was pulling the plug on the U.K. app following news of an internal reorganization of its health efforts.
However, the Royal Free Trust claimed it would continue to use Streams, despite Google’s announcement that support was being withdrawn — raising questions over how the Trust would ensure the app’s security was kept up-to-date and which divisions within Google would be responsible for handling related service level agreements, going forward, after the tech giant’s internal reorg of its health, wellness and AI efforts.
Update: Google declined to provide a comment at this time but a spokesperson confirmed it’s aware of the lawsuit.
The company added that no claim form has been formally served but said once it has it will look at it in more detail.
The tech giant also pointed us to a third party audit carried out by Linklaters into the data processing arrangement between Royal Free and DeepMind — as part of the ICO settlement — which it said found the Royal Free’s use of Streams to be lawful and compliant with data protection laws. However that third party audit did not examine the original data processing arrangement — which was the one sanctioned by the ICO — looking only at a replacement deal, not the historical misstep, as we reported at the time, so it’s essentially irrelevant to the legal issue being raised by this lawsuit.