Alphabet’s health tech subsidiary Verily used the health data of greater than 25,000 patients without authorization and actively covered up those violations, a former company executive alleges.Â
The manager, Ryan Sloan, claims Verily fired him after he discovered breaches of the Health Insurance Portability and Accountability Act, or HIPAA, and reported his concerns to the corporate’s senior management.
Patient data within the U.S. is protected under HIPAA, which ensures the sensitive information can’t be disclosed with out a patient’s consent.
Sloan’s allegations are detailed in a pending lawsuit in federal court in San Francisco. The suit, which was filed late last yr, has not been previously reported.
On Monday, the judge overseeing Sloan’s case denied a request by Verily to dismiss his civil criticism, or to send the dispute to arbitration.
“Verily believes the allegations and contentions alleged on this employment matter that was commenced in 2023 are completely without merit. Verily will defend itself to the total extent of the law,” an organization spokesperson told CNBC in an announcement. “Verily is an equal opportunity employer, and takes its responsibility and commitment to abide by all laws and regulations seriously. As that is an ongoing legal matter, Verily won’t be providing further comment presently.”
Representatives for Sloan didn’t comment.
Verily began as a moon shot in 2015 inside Alphabet’s innovation lab X, formerly referred to as Google X. It’s Google’s sister company and operates under Alphabet’s “Other Bets” category.
The corporate hired Sloan in 2020 to serve because the chief business officer of its diabetes and hypertension business, Verily Onduo.
In January 2022, Sloan alleged that he and Julia Feldman, Onduo’s general counsel, discovered Verily had improperly used patients’ protected health information in its research, marketing campaigns, press releases and national conferences. The “extensive violations” affected greater than 25,000 patients in Onduo’s diabetes program, in accordance with an amended criticism filed in June.Â
Sloan and Feldman informed senior Verily leaders of their findings, the filing said, they usually repeatedly raised the difficulty. An internal investigation at Verily confirmed several HIPAA breaches took place, in accordance with the filing.
“Between January and March of 2022, internal investigators at Verily confirmed multiple breaches of fourteen (14) separate HIPAA Business Associate Agreements with large, covered entity clients of Onduo between 2017 and 2021,” the filing said.
Patients who accessed Verily Onduo through these clients – which include Walgreens Boots Alliance, Highmark Health, Quest Diagnostics and Delta Air Lines, amongst others – can have been affected by the breaches.Â
Delta said in an announcement that it doesn’t have a comment on the suit, “but our worker’s personal information is necessary to us.”
“We’re looking into this and can ensure that any impact to our people is appropriately addressed,” the corporate said.
Quest said in an announcement that, “We should not conversant in the allegations and don’t have any further comment.”
Highmark declined to comment. Walgreens didn’t reply to CNBC’s requests for comment.
Under HIPAA, firms like Verily are speculated to notify impacted parties no later than 60 days after discovering a breach. Verily “decided to delay the choice of notifying the covered entities,” in accordance with the filing, and the corporate engaged in negotiations to renew lots of those contracts “without revealing that a HIPAA breach had recently occurred.”Â
“During a contract negotiation between Verily and Highmark Health in August of 2022, Verily represented that it was in compliance with HIPAA in any respect times, while knowingly concealing that a HIPAA breach had occurred,” the filing said.Â
That very same month, Verily terminated Feldman and one other worker who was aware of the breaches.
When Sloan reiterated his concerns concerning the breaches to Lisa Greenbaum, Verily’s then chief revenue officer, in October 2022, she allegedly defended the corporate’s decision not to reveal them and said that doing so would negatively affect public relations, the filing said.
Greenbaum joined Doximity, one other health-care technology company, as chief business officer in January 2024, in accordance with her LinkedIn.Â
Doximity didn’t immediately reply to CNBC’s request for comment.
In November 2022, Verily allegedly suppressed a press release out of concern that it could draw attention to previous marketing studies that violated its HIPAA Business Associate Agreements. The corporate removed the press release from its website and instructed employees not to say it again, in accordance with the filing.Â
Sloan was officially terminated from Verily in January of 2023, while on protected leave to take care of his “critically unwell mother,” the filing said.Â
The lawsuit marks the most recent in a series of stumbles at Verily, which, despite raising greater than $1 billion from investors, has struggled to latch onto a winning product. Verily is reportedly transitioning from a limited liability company, or an LLC, to an investor-friendly C-Corp structure to arrange for a fresh round of funding, in accordance with a report from Business Insider on Wednesday.
Verily originally developed hardware like continuous glucose monitors before pivoting to pandemic response when Covid-19 broke out in 2020, then switched directions again to give attention to precision health in 2022.Â
The corporate introduced a brand new artificial intelligence-powered chronic-care solution called Verily Lightpath last yr, and announced it was selling its stop-loss insurance subsidiary, Granular Insurance Co., in February.
— CNBC’s Lora Kolodny and Dan Mangan contributed to this report.
