The Google “Removal Policies” page now lists “confidential, personal medical records of private people” as types of information it may remove from its search.
“Google search results are a reflection of the content publicly available on the web,” Google states on a Privacy & Terms FAQ page. “Search engines can’t remove content directly from websites, so removing search results from Google wouldn’t remove the content from the web. If you want to remove something from the web, you should contact the webmaster of the site the content is posted on and ask him or her to make a change.”
- Curbing Medical Identity Theft with Improved Identification
- Plaintiff Dismisses MDLive Patient Data Privacy Lawsuit
- Calif. Patient Privacy Case Reaches State Supreme Court
On its page discussing removal policies, Google maintains that it usually does not remove dates of birth, addresses, and telephone numbers from its search results. However, the following data may be removed:
- National identification numbers (i.e. US Social Security number, Argentine Single Tax Identification Number)
- Bank account numbers
- Credit card numbers
- Images of signatures
- Nude or sexually explicit images that were uploaded or shared without your consent
The company added that it tries to determine “if a piece of personal information creates significant risks of identity theft, financial fraud, or other specific harms” when it is debating whether to remove that data from search results.
“We apply this policy on a case-by-case basis,” the website states. “If we believe that a removal request is being used to try and remove other, non-personal information from search results, we will deny the request. We usually don’t remove information that can be found on official government websites because the information is publicly available.”
Patient data becoming available through public search engines can create issues for both individuals and the healthcare provider that was in charge of keeping that data secure.
In 2016, a class action lawsuit stemming from a 2012 incident with PHI made searchable via an internet search engine resulted in a $7.5 million settlement.
Along with the settlement, St. Joseph Health System (SJHS) also had to set $3 million aside for patients who may apply for up to $25,000 each if they suffered identity theft.
The incident in question reportedly occurred at SJHS between 2011 and 2012 when the PHI was discovered online. One of the class members, Danna Graewingholt, found her health information was available online.
A hospital investigation found that potentially breached information included patient names, medical data such as body mass index, smoking status, blood pressure, lab results, diagnoses, medication allergies, demographic information, and advance directive status.
“In or around February 13, 2012, St. Joseph Health System (“SJHS”) sent letters to approximately 31,802 of its patients, notifying them that it had inadvertently made their personal health information publicly accessible on the Internet, thus allowing outside search engines to have access to the information,” the court documents read.
“The information was allegedly accessible from approximately February 2011 to February 2012.”
Plaintiffs filed a total of four causes of action in the case:
- Violation of the Confidentiality of Medical Information Act
- Money had and received
- Violation of the California Unfair Competition Law (UCL), California Business and Professionals Code, Section 17200, et. Seq
Several SJHS facilities were impacted, including Mission Hospital Regional Medical Center, St. Jude Hospital, Queen of the Valley Medical Center, Santa Rosa Memorial Hospital, Petaluma Valley Hospital Auxiliary, The Auxiliary of Mission Hospital Laguna Beach, The Auxiliary of Mission Hospital Mission Viejo, Saint Joseph Hospital of Orange, Saint Joseph Hospital of Eureka and Redwood Memorial Hospital of Fortuna.
Source : https://healthitsecurity.com/news/updated-google-policy-may-affect-patient-data-security