Google’s health efforts sit within Google Cloud, which is key to the company’s future growth. If Google can’t figure out how to address privacy concerns over health data, its cloud business will have a hard time selling into the health sector.

Google is facing a backlash after The Wall Street Journal reported that its partnership with hospital network Ascension enabled it to gather personal health data on millions of Americans, a disclosure that points to how lack of trust could hurt its up-and-coming cloud business.

Google’s parent company, Alphabet, is counting on new businesses for growth as it prepares for a slowdown in its core digital advertising business. The company showed slowing ad revenue in its first quarter of 2019, and a decline in profit from the previous year in the third quarter.

Google Cloud, which aims to compete with Amazon and Microsoft, has the potential to pick up some of the slack despite trailing well behind the two industry leaders. Under Cloud CEO Thomas Kurian, who joined about a year ago from Oracle, Google has already doubled cloud revenue in the last year to $8 billion a year, and it plans to double again in the next year. Kurian has poured tons of resources into it, including making some big acquisitions, and plans to triple its sales force over the next few years.

Health care is a particularly attractive sector, as there are still large accounts to be won. The medical sector is giant and has been notoriously slow to move to the cloud.

But being unable to address privacy concerns could sink these ambitions, as no health customer wants to face angry consumers concerned about Google getting their health data.

“The story here is around public perceptions of Google, and big tech in general,” said Farzad Mostashari, the former national coordinator for health information technology and CEO of health technology company Aledade.

Mostashari and others say that Google could hold public forums to explain how it manages patient health data and leverage its internal health experts, including its chief health officer Karen DeSalvo. Ultimately, unless it changes its internal culture around secrecy at all costs, and moves toward openness and transparency, it will be very challenging for Google and its parent company Alphabet to make a real dent in the $3.5 trillion medical sector.

A tepid response

The Google-Ascension deal was revealed on Monday by The Wall Street Journal, which said 150 Google employees already have access to data on tens of millions of patients without their knowledge or consent. As CNBC reported, and the companies later confirmed, the partnership is bound by an industry-standard agreement called a Business Associate Agreement that limits what Google can do with the information collected. In particular, Google and Ascension may only use the data collected in the course of providing better care to Ascension patients, and Google cannot use it for other commercial purposes, such as targeted advertising.

One person familiar with the deal told CNBC that the agreement only allowed for the companies to make a tool to search through patient health records on Ascension’s behalf. It was intended to be a blueprint for what might work in the future, not a tool for Google to sell broadly.

But Google’s response to the story did little to calm fears.

Hours after the story broke on Monday, Tariq Shaukat, a Google cloud executive who does not have a health background, offered a broad outline of its work and the privacy restrictions related to it in a blog post. None of its resident health-care experts, such as former U.S. Food and Drug Administrator Robert Califf, spoke out.

As the flap unfolded throughout Tuesday evening, a Democratic presidential contender, Sen. Amy Klobuchar of Minnesota, said that the deal raised “serious privacy concerns,” and the Journal reported that the Department of Health and Human Services is going to look into whether the deal violated HIPAA, a set of federal privacy regulations around health information.

Google updated its blog post on Tuesday night with more details about the project, specifying that “Patient data...is not used for any other purpose than servicing the product on behalf of Ascension. Specifically, any Ascension data under this agreement will not be used to sell ads.”

But the damage was done.

‘There is no trust’

Health-care industry insiders say that Google’s tepid response is an example of a broader problem. The company’s secrecy about its health-care work and use of code names like “Project Nightingale” makes its dealings look more nefarious than they actually are.

“The actual agreement is perfectly above board and all the relevant documents have been signed,” said Niall Brennan, president and chief executive of the Health Care Cost Institute and a health data privacy expert. Brennan referred to the whole situation as a “giant nothingburger” on Twitter.

“Every day, millions of pieces of personal health information are safely transported or exchanged under the framework of HIPAA, by and large adhering to privacy and security protocols,” said Brennan. Companies like Optum, which is owned by UnitedHealth Group, or the leading health record vendors, like Cerner, do that sort of work routinely.

There are certainly examples where companies make mistakes, and face fines and penalties. But the good outweighs the harm, Brennan said.

“The vast majority of this data sharing is good and important for patient care,” he said. “And if it didn’t happen, health care would grind to a screeching halt.”

Brennan’s larger point is that Americans have major “mistrust and anger” toward tech companies, and their often cavalier approach with people’s information.

Google is not the only company responsible for this perception -the drumbeat of scandals around Facebook’s use and abuse of consumer information is probably a bigger reason -but moves like storing consumers’ purchase information in Gmail and then making it impossible to remove have probably not helped.

“It all boils down to trust, and there is no trust,” he said.

The Ascension uproar could even affect Google’s Fitbit acquisition, which is supposed to close in 2020, said Sean Dempsey, co-founder and managing director of Merus Capital, who led corporate development and helped build Google’s M&A team in 2005 through 2007.

“The scrutiny is so high right now where the regulators want to show they’re doing something about it and so blocking an acquisition, while normally unlikely, is possible,” he said. “I don’t think Google is going to give up on health anytime soon but I think it’s going to be an issue and slow them down quite a bit.”

Google needs to recognize that health care is a different beast from search queries or email or videos on YouTube. People, for good reason, are very sensitive about their health information ending up in the wrong hands.

As Mostashari mused on Twitter: “Google can sign a BAA, but they have to convince people that they actually have controls in place to ensure that the data is only being used for the purposes of the agreement.”