Google faces UK lawsuit for NHS patient data breach
TBIT / Pixabay
Google faces UK lawsuit for NHS patient data breach

A sole claimant Tuesday filed a representative action suit against Google and its artificial intelligence (AI) subsidiary DeepMind Technologies in the High Court of Justice of England and Wales for misuse of private information. The misuse arose from a data-sharing arrangement between DeepMind and the Royal Free London National Health Service (NHS) Foundation Trust.

In 2015 DeepMind and the NHS announced a collaboration for developing Streams, an app which would streamline access to patient data for a faster and more accurate prognosis of acute kidney injury by doctors and nurses. However, the data-sharing agreement revealed DeepMind was gaining access to five years’ worth of confidential data on admissions, discharge and transfer, accidents, emergencies, critical care, pathology, and radiology data on over 1.6 million patients covered by the NHS without their knowledge or informed consent.

In 2017 the UK’s data protection watchdog, the Information Commissioner’s Office (ICO), found the data-sharing agreement breached the Data Protection Act and sanctioned the NHS. The ICO’s investigation was limited to the test version of Streams and not its live version. It found DeepMind’s use of patient data for testing the clinical safety of Streams significantly differed from patients’ reasonable expectations while providing NHS with their data for treatment. Moreover, it found the processing of 1.6 million patient records (partially) was not “necessary and proportionate” to testing an app. Patients could not exercise their “right to opt-out” of their data being used for Streams.

Google, while able to avoid legal responsibility since the NHS was “directly responsible” for sending patient data, confirmed to the media in August 2021 that it would decommission Streams due to a lack of interest from health services.

The present claimant, Andrew Prismall, stated he brought the suit to achieve a “fair outcome and closure” for all 1.6 million patients whose data was breached. A partner at Mishcon de Reya, the law firm representing Prismall, stated the claim could provide clarity on the extent to which tech companies could “access and make use private health information”.

The suit follows other legal actions revolving around tech and health in the UK and the US. While this is the second such suit announced by Mishcon, DeepMind was at the center of a US District Court class-action suit against a similar data-sharing agreement between Google and the University of Chicago Medical Center in 2020. A lawsuit against deals the NHS struck with tech firm Palantir during the COVID-19 pandemic resulted in the government agreeing not to extend Palantir’s contracts post-pandemic without consultations.