Google to pay $7 million for collecting personal health, other data

Google has settled a case with 38 states, agreeing to pay a $7 million fine after it collected personal health information during its Street View project. Google also agreed to educate its employees on confidentiality of user data, according to reports from Bloomberg and the New York Times.

Google has been under worldwide scrutiny for collecting personal data as part of its mapping project. The claims: When Google used its special vehicles to photograph houses and offices all over the world it was at the same time collecting data from millions of unencrypted wireless networks, including emails and medical and financial records and passwords. 

Google initially denied that it collected personal health data; later it said the data collection was the work of an independent engineer. The Federal Communications Commission, however, said the engineer wasn't so much an independent agent gone rogue as he was an unsupervised worker, in a report released last April. 

"We work hard to get privacy right at Google, but in this case we didn't, which is why we quickly tightened up our systems to address the issue," spokesperson Niki Fenwick said in a statement emailed to media outlets this week.

Meanwhile, another Google product is raising questions about privacy: Google Glasses--wearable devices that use Android software and come equipped with GPS, motion sensors and cameras.

As FierceMobileHealthcare reported last year, Google Glasses could be used in healthcare settings as a surgical imaging head's up display or for remote visits, for example.  

In 2012, several members of Congress expressed concern that Google's then-new privacy policy violated the Health Insurance Portability and Accountability Act (HIPAA). The policy combined Google's previous policies, enabling it to share user information across services. Lawmakers were concerned that searching for healthcare information on Google without logging out would case a person to be tracked across other sites. 

But healthcare attorney David Harlow told FierceHealthIT then that he didn't see it as a violation of HIPAA because the user is releasing their personal health data themselves.

Google's settlement requires an annual privacy week for employees, educational advertisements, privacy certification programs, privacy refresher training for its lawyers, and outreach; including a YouTube video that shows users how to encrypt their data. In The Times, assistant Connecticut attorney general Matthew Fitzsimmions called these provisions "minimum benchmarks" for Google to meet.

To learn more:
- read The New York Times article
- read the Bloomberg article

Related Articles:
Google brings smartphone functionality to eyeglasses
Patient Internet search patterns can provide clues to drug interactions
Tablet wars, IT security dominate at HIMSS13