The federal government opened an inquiry into Google’s “Project Nightingale” after the Wall Street Journal reported that the tech giant has been amassing large amounts of health data from millions of Americans as part of an effort to streamline health care and data systems for hospitals.

Ascension, a St. Louis-based hospital chain and the world’s largest Catholic healthcare system, began sharing its patients’ data with Google in 2018 with the goal of consolidating data systems from its facilities all over the U.S. and optimizing care for those patients.

But federal regulators are concerned Google can’t be trusted to protect the privacy of those patients, given the company’s privacy track record.

William Smith, Ph.D. and visiting life sciences fellow with the Pioneer Institute, told InsideSources he was “shocked” by the amount of sensitive, detailed information Google has collected on Ascension patients, like patient names.

When members of the healthcare industry conduct studies or amass large amounts of data on patients, he said, they usually de-identify (or pseudonymize) the data to protect patients’ privacy.

“[Google] argued in most of the stories I read that we share identified data sometimes with contractors, and that may be true, but Google is not really a contractor, they’re one of the biggest companies in the world, so to describe them as a contractor is kind of misleading,” Smith said. “You don’t need a patient’s name when you do this kind of data crunching.”

That said, what Google and Ascension are trying to accomplish could be extremely valuable or “dangerous,” Smith said, especially given Google’s treatment of its customers’ data and children’s data.

“I wouldn’t want [Google] to use it for commercial advantage,” Smith said. “They have [patient] names, are they going to advertise them? Are they going to put ads on their Google pages? I think they could have gotten the same value without names, without identifiers.”

A Google spokesperson told the Journal that patient health data would not be used to sell ads. But given Google’s track record of sharing Google users’ data with third-party advertisers and businesses, privacy experts are skeptical of this response.

“Lawmakers need to, right now, put some teeth in the consequences for future abuse of this data,” tweeted Cyber Risk Research Director Chris Vickery. “It’ll happen if it is not already happening. Put them on notice. Add in mandatory minimum prison time for execs and other employees responsible for any abuses.”

The fact that every other company within the healthcare supply chain de-identifies patient data also concerns privacy and health experts.

“I’m quite familiar with some large insurance companies who do these kinds of large metadata studies on their own patient records, and I’m told they de-identify the records,” Smith said. “I’m not sure why Google didn’t in this case and why they needed it. I wish they would just stick to metadata studies with deidentified studies.”

Federal lawmakers took to Twitter this week to lambast Google over Project Nightingale, even suggesting that the project could result in higher healthcare costs for patients.

“Google has secretly mined the health records of tens of millions of Americans to drive up costs to patients,” Sen. Richard Blumenthal (D-Conn.) said. “Blatant disregard for privacy, public well-being, & basic norms is now core to Google’s business model. This abuse is beyond shameful.”

On Facebook, Rep. Bill Cassidy (R-La.), who is also a gastroenterologist, said, “Google and Ascension are collecting millions of patients’ private health data without their knowledge so that these companies can improve their ability to order more tests and send more bills. Technological innovations should be used to lower costs and help patients, not to find new ways to charge them more.”

Smith said he’s also worried about Google having undue influence over healthcare decisions because of the nature of Project Nightingale.

“Seems the ambition is for Google to direct the care plan rather than the doctor,” he said. “Privacy is a gigantic issue, and it’s particularly sensitive in healthcare. People don’t want their information floating around in a way they can’t control.”

Follow Kate on Twitter