Mistake in Google Groups Privacy Setting Leaves Medical Records in Japan’s Hospitals Open to Public

REUTERS/Dado Ruvic/Illustration/File Photo
A 3D-printed Google logo is seen in this illustration taken April 12, 2020.

The medical records of patients at a number of medical and nursing-care facilities were made accessible to any internet user on Google Groups, a free service provided by the tech giant that allows users to share emails on the internet, The Yomiuri Shimbun has learned.

The oversight occurred after users mistakenly enabled accessibility by all in their email settings, and brings to light how personal information can be carelessly handled in the medical field, which manages particularly sensitive information.

At least five institutions in the medical and nursing-care fields were found to have patient and care recipient information accessible to outsiders, a probe by The Yomiuri Shimbun revealed. These included St. Marianna University School of Medicine Hospital and Sensinkai, a medical corporation, both located in Kanagawa Prefecture.

According to St. Marianna, seven nurses in its emergency center who voluntarily use Google Groups to communicate with each other had chosen their email settings to make them accessible to outsiders. More than 250 emails were sent between November 2019 and December 2020, The Yomiuri Shimbun confirmed.

An email in August stated the name of a patient suspected of being infected with the novel coronavirus and who was “in the ICU with a fever,” and included the names of patients in the same room. Another email had internal documents attached, including a manual for handling COVID-19 patients during admission to the hospital and when their deaths were confirmed.

Sensinkai allowed public access to business emails containing the names and addresses of more than 500 patients treated at its clinics in Sagamihara, Kanagawa Prefecture, and Machida, Tokyo, from December 2019 to Jan. 21, 2021.

On top of specifying the type of ailment, test results and medication history, the emails included highly sensitive personal information, such as “dementia caused by Alzheimer’s,” “lung cancer” and “wandering [due to dementia].”

In addition, nursing care facility operators in Tokyo and Kanagawa Prefecture and a medical-related company in Osaka Prefecture had information on users and customers accessible to outside parties. All have already changed their settings to disable accessibility following notification by The Yomiuri Shimbun and other third parties.

This is not the first time problems have arisen with Google Groups. Similar troubles occurred in 2013 when internal information on government ministries and companies were viewable by outsiders. The default setting at the time made access available for all internet users, but after the problem came to light, Google changed the default setting to limit accessibility to “within the group.”

On Jan. 25, both the St. Marianna University School of Medicine Hospital and Sensinkai acknowledged that they had mistakenly changed the settings, and both issued apologies on their websites.

Sensinkai reported the information leak to the government’s Personal Information Protection Commission, which will investigate the matter. The Law on the Protection of Personal Information designates medical records as personal information that requires strict handling.

Numerous errors

The Yomiuri Shimbun investigation also found that universities and companies using Google Groups had put their internal emails at risk of being publicly accessed.

Nihon University’s College of Science and Technology made accessible the names, high schools and other information of applicants for its open campus last year. A medical consulting company in Osaka Prefecture enabled public viewing of the names and contact information of people who had requested mental health-related materials.

In 2013, the contents of the Environment Ministry’s negotiations on international treaties were made visible to the outside world, and high-ranking officials at the time were disciplined. Google came under sharp criticism because the default setting enabled access by all, leading the company to change it to sharing within the group only. Even so, there has been an unending number of cases of people mistakenly changing the privacy setting to “public.”

In an interview with The Yomiuri Shimbun, Google’s Japan unit maintained that it has done all it can to address the matter. “We are aware that there have been cases where information has been mistakenly shared as a result of users making a mistake with accessibility authorization and choosing the wrong setting,” the company said. “We guide users on how to properly manage the privacy settings through our help page and other measures.”