Alphabet’s health tech subsidiary Verily used the health data of more than 25,000 patients without authorization and actively covered up those violations, a former company executive alleges.
The executive, Ryan Sloan, claims Verily fired him after he discovered breaches of the Health Insurance Portability and Accountability Act, or HIPAA, and reported his concerns to the company’s senior management.
Patient data in the U.S. is protected under HIPAA, which ensures the sensitive information cannot be disclosed without a patient’s consent.
Sloan’s allegations are detailed in a pending lawsuit in federal court in San Francisco. The suit, which was filed late last year, has not been previously reported.
On Monday, the judge overseeing Sloan’s case denied a request by Verily to dismiss his civil complaint, or to send the dispute to arbitration.
“Verily believes the allegations and contentions alleged in this employment matter that was commenced in 2023 are completely without merit. Verily will defend itself to the full extent of the law,” a company spokesperson told CNBC in a statement. “Verily is an equal opportunity employer, and takes its responsibility and commitment to abide by all laws and regulations seriously. As this is an ongoing legal matter, Verily will not be providing further comment at this time.”
Representatives for Sloan did not comment.
Verily started as a moonshot in 2015 within Alphabet’s innovation lab X, formerly known as Google X. It’s Google’s sister company and operates under Alphabet’s “Other Bets” category.
The company hired Sloan in 2020 to serve as the chief commercial officer of its diabetes and hypertension business, Verily Onduo.
In January 2022, Sloan alleged that he and Julia Feldman, Onduo’s general counsel, discovered Verily had improperly used patients’ protected health information in its research, marketing campaigns, press releases and national conferences. The “extensive violations” affected more than 25,000 patients in Onduo’s diabetes program, according to an amended complaint filed in June.
Sloan and Feldman informed senior Verily leaders of their findings, the filing said, and they repeatedly raised the issue. An internal investigation at Verily confirmed several HIPAA breaches took place, according to the filing.
“Between January and March of 2022, internal investigators at Verily confirmed multiple breaches of fourteen (14) separate HIPAA Business Associate Agreements with large, covered entity clients of Onduo between 2017 and 2021,” the filing said.
Patients who accessed Verily Onduo through these clients – which include Walgreens Boots Alliance, Highmark Health, Quest Diagnostics and Delta Air Lines, among others – may have been affected by the breaches.
Delta said in a statement that it doesn’t have a comment on the suit, “but our employee’s personal information is important to us.”
“We are looking into this and will make sure any impact to our people is appropriately addressed,” the company said.
Quest said in a statement that, “We are not familiar with the allegations and have no further comment.”
Highmark declined to comment. Walgreens did not respond to CNBC’s requests for comment.
Under HIPAA, companies like Verily are supposed to notify impacted parties no later than 60 days after discovering a breach. Verily “decided to delay the decision of notifying the covered entities,” according to the filing, and the company engaged in negotiations to renew many of those contracts “without revealing that a HIPAA breach had recently occurred.”
“During a contract negotiation between Verily and Highmark Health in August of 2022, Verily represented that it was in compliance with HIPAA at all times, while knowingly concealing that a HIPAA breach had occurred,” the filing said.
That same month, Verily terminated Feldman and another employee who was aware of the breaches.
When Sloan reiterated his concerns about the breaches to Lisa Greenbaum, Verily’s then chief revenue officer, in October 2022, she allegedly defended the company’s decision not to disclose them and said that doing so would negatively affect public relations, the filing said.
Greenbaum joined Doximity, another health-care technology company, as chief commercial officer in January 2024, according to her LinkedIn.
Doximity did not immediately respond to request for comment.
In November 2022, Verily allegedly suppressed a press release out of concern that it would draw attention to previous marketing studies that violated its HIPAA Business Associate Agreements. The company removed the press release from its website and instructed employees not to mention it again, according to the filing.
Sloan was officially terminated from Verily in January of 2023, while on protected leave to care for his “critically ill mother,” the filing said.
The lawsuit marks the latest in a series of stumbles at Verily, which, despite raising more than $1 billion from investors, has struggled to latch onto a winning product. Verily is reportedly transitioning from a Limited Liability Company, or an LLC, to an investor-friendly C-corp structure to prepare for a fresh round of funding, according to a report from Business Insider on Wednesday.
Verily originally developed hardware like continuous glucose monitors before pivoting to pandemic response when Covid-19 broke out in 2020, then switched directions again to focus on precision health in 2022.
The company introduced a new artificial intelligence-powered chronic care solution called Verily Lightpath last year, and announced it was selling its stop-loss insurance subsidiary, Granular Insurance Company, in February.
–CNBC’s Lora Kolodny and Dan Mangan contributed to this report
WATCH: Google’s ad tech trial strategy as AI advertising war looms
