A lawsuit seeking class-action status alleges that Google's COVID-19 contact tracing tool exposed system logs of millions of users' protected health information to potentially hundreds of third parties.
The lawsuit, which was filed April 27, said Google co-created the Google-Apple exposure notification system to assist local and state agencies in deploying apps for mobile devices to conduct COVID-19 contact tracing.
Eight things to know:
- The lawsuit alleges Google placed PHI on its devices' system logs, which gives access to dozens or potentially hundreds of third-parties.
- The PHI included in these logs includes personal information and medical information associated with contact tracing.
- The lawsuit alleges the exposed information is personally identifiable. The apps are secure, but when the data is stored, it becomes available to third parties with access to the logs. Third parties could link the information to app users and learn about users' COVID-19 diagnosis.
- The plaintiffs filing the lawsuit said they downloaded the California state public health contact tracing apps with Google's GAEN system, and allege that Google violated their privacy and the California Confidentiality of Medical Information Act.
- Twenty-seven states and territories have launched contact tracing apps that use GAEN and more than 28 million people in the U.S. have downloaded the app.
- The lawsuit alleges that Google was informed of the security flaw in GAEN in February, but has not informed the public or GAEN users that their PHI was exposed.
- Besides seeking compensation for damages, the plaintiffs want the court to order Google to cease including PHI in its system logs and to stop allowing third parties to have access to them.
- The plaintiffs also want Google to destroy all PHI it's acquired or created.
Becker's Hospital Review has contacted Google and will update the article with any additional news.