A whistleblower lawsuit has surfaced against Alphabet-owned Verily, alleging serious violations of the Health Insurance Portability and Accountability Act (HIPAA). The legal action was initiated by Ryan Sloan, a former executive at Verily’s diabetes and hypertension division, Onduo, who claims that the healthcare technology company misused sensitive patient data belonging to more than 25,000 individuals.
Allegations of Data Misuse and Cover-Up
The lawsuit, filed last year but only recently reported on, accuses Verily of improperly using patients’ personally identifiable health information for unauthorised purposes, including research, marketing campaigns, and public presentations. Such uses, according to Sloan, breach the HIPAA Privacy Rule unless explicit consent is acquired from the affected patients.
Sloan’s court filing further alleges that Verily not only failed to report these breaches but also delayed disclosure to healthcare entities while negotiating contract renewals. This delay, if confirmed, would violate the HIPAA Breach Notification Rule, which mandates timely notification of any data breaches to both affected parties and regulators.
An internal investigation at Verily reportedly confirmed these breaches, which involved data from 14 HIPAA-regulated entities, including Quest Diagnostics, Highmark Health, and Walgreens Boots Alliance. Despite these findings, Sloan alleges that notifications were withheld, even during sensitive contract discussions.
Retaliation Allegations Against Verily
Sloan, who was employed at Verily from 2020 until his termination in January 2023, asserts that he and Julia Feldman, Onduo’s general counsel, uncovered the breaches in early 2022. The two claim they repeatedly raised their concerns with senior management. According to Sloan, their persistence led to retaliation, with Feldman and another employee being dismissed in August 2022, and Sloan himself being terminated the following January.
In one specific instance, Sloan alleges that Verily misrepresented its compliance with HIPAA rules during an August 2022 contract negotiation with Highmark Health, despite knowing HIPAA violations had occurred.
Verily Denies Allegations
Verily has categorically denied the claims made in the lawsuit. In a statement provided to CNBC, a Verily spokesperson said, "Verily believes the allegations and contentions alleged in this employment matter that was commenced in 2023 are completely without merit. Verily will defend itself to the full extent of the law." The spokesperson added, "Verily is an equal opportunity employer, and takes its responsibility and commitment to abide by all laws and regulations seriously. As this is an ongoing legal matter, Verily will not be providing further comment at this time."
Legal and Regulatory Landscape
The case, Sloan v. Verily Life Sciences LLC, is being litigated in the United States District Court for the Northern District of California in San Francisco. Notably, individuals cannot sue for HIPAA violations directly, as enforcement of HIPAA regulations falls under the jurisdiction of the US Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. Sloan’s legal argument instead focuses on claims of retaliation under his employment contract.
As the lawsuit progresses, it raises significant questions about corporate accountability in safeguarding sensitive health data and adhering to regulatory obligations. The outcome of the case could have wider implications for the healthcare technology industry and its management of patient privacy.
Read the source
