A UK law firm is bringing a class-action style claim over a patient health data scandal that dates back to 2015 and involves the Google-owned AI company DeepMind, after it was quietly passed medical information on over a million patients by an NHS Trust as part of an app development project.

Law firm Mishcon de Reya announced the legal action today, saying a “representative action” has been filed on behalf of a UK citizen, called Mr Andrew Prismall, and the approximately 1.6M others whose confidential medical records were obtained by DeepMind/Google without their knowledge or consent.

Google and the Royal Free NHS Trust have been contacted for comment on the lawsuit.

Last month TechCrunch reported that Google was pulling the plug on the clinician support app, Streams, which was developed by DeepMind and the London-based Royal Free NHS Trust starting in 2015.

The Streams app was rolled out for use by clinicians at the Royal Free and a handful of other NHS Trusts. However the Royal Free was sanctioned in 2017 by the UK’s data protection watchdog, the ICO, for breaching data protection rules when it passed patients’ sensitive medical information to the Google-owned company during the development phrase of the app.

In a press release today, Mishcon de Reya described the lawsuit as an “important step in seeking to address the very real public concerns about large-scale access to, and use of, private health data by technology companies”.

“It also raises issues regarding the precise status and responsibility of such technology companies in the data protection context, both in this specific case, and potentially more generally,” the firm added.

During the height of the COVID-19 crisis last year, the UK government inked a number of health data processing contracts with tech giants including Google and Palantir — and those deals have also faced concern and criticism over a lack of transparency.

The government is also consulting on whether to reduce the level of data protection afforded to UK citizens, as it seeks to diverge from the European Union’s gold standard of privacy by design and default, set out in legislation such as the General Data Protection Regulation (GDPR).

UK dials up the spin on data reform, claiming ‘simplified’ rules will drive ‘responsible’ data sharing

In a statement on why he’s taking the legal action, Prismall said: “Given the very positive experience of the NHS that I have always had during my various treatments, I was greatly concerned to find that a tech giant had ended up with my confidential medical records.

“As a patient having any sort of medical treatment, the last thing you would expect is your private medical records to be in the hands of one of the world’s biggest technology companies. I hope that this case will help achieve a fair outcome and closure for all of the patients whose confidential records were obtained in this instance without their knowledge or consent.”

Mishcon partner Ben Lasserson, who is leading the case, added: “This important claim should help to answer fundamental questions about the handling of sensitive personal data and special category data. It comes at a time of heightened public interest and understandable concern over who has access to people’s personal data and medical records and how this access is managed.”

A spokeswoman for Mishcon de Reya confirmed to us that it has issued the claim in the UK High Court.

Asked about whether the claimants is seeking financial damages and/or asking for the data to be deleted she said she was unable to provide any more information at this early stage.

Most of the NHS Trusts that inked five-year deals with DeepMind to use the Streams software — contracts which subsequently transitioned to Google’s health division, after the company took over DeepMind Health in 2018 — told us they had terminated their arrangements when we asked them about their use of the app last month, as it emerged Google was pulling the plug on the UK app following news of an internal reorganization of its health efforts.

However the Royal Free Trust claimed it would continue to use Streams, despite Google’s announcement that support was being withdrawn — raising questions over how the Trust would ensure the app’s security was kept up-to-date and which divisions within Google would be responsible for handling related service level agreements, going forward, after the tech giant’s internal reorg of its health, wellness and AI efforts.

Google gobbling DeepMind’s health app might be the trust shock we need