I decided not to blow the whistle on Google's agreement, known internally as the Nightingale project. The decision came slowly to me, creeping up on me through my daily work as one of around 250 people at Google and Ascension working on the project.
When I first started in Nightingale, I was excited to be at the forefront of medical innovation. Google has claimed to be a major player in the healthcare system, using its phenomenal artificial intelligence (AI) and machine learning tools to predict disease patterns in ways that can one day lead to new treatments, and that know, even cure.
Here I worked with top management teams on both sides, Google and Ascension, to create the future. It was in line with my belief that technology really has the potential to change health care for the better.
But over time I became increasingly concerned about the security and privacy aspect of the agreement. It became clear that many around me in the Nightingale team also shared these concerns.
After a while, I reached a point that I suspect is familiar to most whistleblowers, where what I witnessed was too important for me to keep silent. Two simple questions kept chasing me: did patients know about transferring their data to the tech giant? Should they be informed and given a chance to opt out or away?
The answer to the first question quickly became clear: no. The answer to the second I became increasingly convinced: yes. Put the two together, and how could I not say anything?
So much is at stake. Data security is important in any field, but when this data relates to the personal data of the individual's health, it is of the utmost importance, as this is the last frontier of privacy.
With an agreement as sensitive as the transfer of personal data from more than 50 million Americans to Google oversight, it should be extensive. Each aspect had to pore over to ensure it complied with federal rules that govern confidential handling of protected health information under HIPAA law of 1[ads1]996.
Working with a team of 150 Google employees and 100 or so Ascension employees was eye-opening. But I was constantly struck by how little context and information we were operating in.
What AI algorithms were working in real time when the data was being transferred from hospital groups to the search giant? What did Google plan to do with the data they accessed? No one seemed to know.
Above all: why was the information transmitted in a form that had not been "de-identified" – the term the industry uses to remove all personal information so that the patient's medical record could not be directly linked to them? And why had no patients and doctors been told what was happening?
I was also concerned about the security aspect of placing large amounts of medical data in the digital cloud. Think about the recent hacking in banks or the data breach of 2013 that retail giant Target has been subjected to – imagine now that a similar incident was inflicted on millions of health care providers.
I am proud that I brought this story to public attention. Since it broke on Monday, several members of Congress have expressed concern, including Democratic presidential candidate Sen. Amy Klobuchar of Minnesota, who said the deal raised "serious privacy concerns."
I can see the benefits of unleashing Google's vast computing power on medical data. Applications will be faster; data more accessible to doctors; new channels will be opened which in time may find cures for certain conditions.
But the drawbacks change for me. Employees at large technology companies that have access to personal information; data that could potentially be passed on to a third party; Advertising for a day to target patients according to their medical history.
I would hope that the result of lifting the lid on this issue will be an open debate leading to concrete change. Transfers of healthcare to large technology companies must be shared with the public and made completely transparent, with the supervision of an independent watchdog.
Patients must have the right to opt out or exit. The use of the data must be clearly defined for all to see, not just for now, but for 10 or 20 years to come.
Full HIPAA compliance must be enforced and boundaries must be put in place to prevent third parties from accessing the data without public consent.
In short, patients and the public have the right to know what happens to their personal health information at every step along the way. To quote one of my role models, Luke Skywalker: "May the Force Be With You."