Verily Concealed HIPAA Violations

Alphabet’s health tech arm, Verily, is facing allegations of unauthorized use of patient data affecting over 25,000 individuals and a subsequent cover-up, according to a lawsuit filed by a former executive. The lawsuit, brought forth by Ryan Sloan, the former chief commercial officer of Verily Onduo, centers around alleged breaches of the Health Insurance Portability and Accountability Act (HIPAA).

Sloan claims he was terminated after discovering the HIPAA violations and reporting them to Verily’s senior management. HIPAA regulations safeguard patient data, prohibiting disclosure without explicit consent. The lawsuit, filed in federal court in San Francisco and previously unreported, took a significant turn this week as the presiding judge denied Verily’s request for dismissal or arbitration.

A Verily spokesperson stated to CNBC: “Verily believes the allegations and contentions alleged in this employment matter that was commenced in 2023 are completely without merit. Verily will defend itself to the full extent of the law. Verily is an equal opportunity employer, and takes its responsibility and commitment to abide by all laws and regulations seriously. As this is an ongoing legal matter, Verily will not be providing further comment at this time.” Representatives for Sloan have not yet issued a statement.

The core of Sloan’s complaint revolves around claims that Verily improperly used protected health information for research, marketing campaigns, press releases, and presentations at national conferences, impacting over 25,000 patients enrolled in the Onduo diabetes program. The amended complaint, filed in June, alleges that Sloan and Onduo’s then-general counsel, Julia Feldman, brought these concerns to Verily’s leadership. An internal investigation reportedly confirmed several HIPAA breaches related to Business Associate Agreements with Onduo clients between 2017 and 2021.

The lawsuit further details that patients accessing Verily Onduo through partnerships with companies including Walgreens Boots Alliance, Highmark Health, Quest Diagnostics, and Delta Air Lines may have been affected. Delta has acknowledged being aware of the allegations and is looking into potential impacts on their employees. Quest Diagnostics stated they were not familiar with the allegations. Highmark has declined to comment, and Walgreens has yet to respond to requests for comments.

According to the filing, Verily opted to delay notifying affected parties within the mandated 60-day window after discovering a breach, choosing instead to negotiate contract renewals “without revealing that a HIPAA breach had recently occurred.” The lawsuit alleges this concealment extended to negotiations with Highmark Health, where Verily reportedly affirmed HIPAA compliance despite knowingly concealing a breach.

Feldman and another employee aware of the breaches were reportedly terminated in August of 2022. Sloan claims his concerns about the breaches, reiterated to Lisa Greenbaum, Verily’s then-chief revenue officer, were met with justifications for non-disclosure based on potential negative public relations impacts. Greenbaum has since joined Doximity as chief commercial officer. Doximity has not yet responded to requests for comment.

The suit highlights a suppressed press release in November 2022, allegedly due to concerns of drawing attention to prior marketing studies that violated HIPAA Business Associate Agreements. Sloan was ultimately terminated in January 2023 while on protected leave, the filing alleges.

This lawsuit adds to existing challenges for Verily, a company born out of Alphabet’s innovation lab “X” (formerly Google X) in 2015, and operating within Alphabet’s “Other Bets” portfolio. Despite significant investment, Verily has struggled to establish a consistently successful product. This development comes as Verily reportedly prepares for a new funding round, transitioning from an LLC to a C-Corp, as reported by Business Insider. This structural change could provide additional flexibility as Verily navigates strategic shifts. After initial efforts in hardware development, including continuous glucose monitors, Verily pivoted to pandemic response in 2020 and later to precision health in 2022.

The company has recently introduced Verily Lightpath, an AI-driven chronic care solution, and plans to sell its stop-loss insurance subsidiary, Granular Insurance Co. These moves signal a strategic refocusing within Verily as it attempts to solidify its position as a key player in the evolving health tech landscape. The HIPAA lawsuit presents a considerable hurdle for the company, raising serious questions about its data handling practices and internal controls and potentially impacting investor confidence and future partnerships.