There has been new information published regarding the disclosure by Google in January 2010 of theft of proprietary computer information by Internet intruders. On April 19, 2010, John Markoff wrote in The New York Times that a Google “password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications” had been breached. The article goes on to say:
The new details seem likely to increase the debate about the security and privacy of vast computing systems such as Google’s that now centralize the personal information of millions of individuals and businesses. Because vast amounts of digital information are stored in a cluster of computers, popularly referred to as “cloud” computing, a single breach can lead to disastrous losses.
What is especially perplexing is that, in May 2008, Google launched Google Health, which was touted as a repository or platform for individuals to store and organize their personal health information (“PHI”) online for ease of reference and sharing at the discretion of the individual. The Google Health Web site sets forth its Google Health Privacy Policy (the “Google Policy”). Included among the statements in the Google Policy under the heading “You are in control of your information” are the following:
You control who can access your personal health information. By default, you are the only user who can view and edit your information. If you choose to, you can share your information with others.
Google will not sell, rent, or share your information (identified or de-identified) without your explicit consent, except in the limited situations described in the Google Privacy Policy, such as when Google believes it is required to do so by law.
Included among the statements in the Google Policy under the heading “How Google uses your information” is the following:
To store your information in Google Health, you will need a Google Account. When you create a Google Account, Google asks for your email address and a password, which is used to protect your account from unauthorized access.
If the security breach at Google is as broad and comprehensive as reported, a subscriber to Google Health is not as in control of his or her PHI as the Google Policy may lead one to believe. While HIPAA and HITECH statutes and regulations would require a “covered entity” or “business associate” to undertake massive damage control and notices of breach to affected individuals, and perhaps even subject the covered entity or business associate to heavy penalties, presumably the Google Health repository is not so regulated. The potential damage to subscribers is catastrophic and perhaps should be the subject of investigation for potential regulation.