Full Report
Here’s another whistleblower suit recently filed. Ashley Capoot reports: Alphabet’s health tech subsidiary, Verily, used the health data of more than 25,000 patients without authorization and actively covered up those violations, a former company executive alleges. The executive, Ryan Sloan, claims Verily fired him after he discovered breaches of the Health Insurance Portability and Accountability Act, or... Source
Analysis Summary
# Incident Report: Alleged Unauthorized Use and Cover-up of Patient Health Data at Verily
## Executive Summary
A former executive at Alphabet's health tech subsidiary, Verily, filed a whistleblower lawsuit alleging that the company improperly used the health data of over 25,000 patients without authorization and subsequently attempted to cover up these Health Insurance Portability and Accountability Act (HIPAA) violations. The executive claims he was fired after reporting these internal findings.
## Incident Details
- Discovery Date: Unknown (Internal discovery by Ryan Sloan leading up to the lawsuit filing in late 2024/early 2025)
- Incident Date: Ongoing/Prior to discovery by whistleblower
- Affected Organization: Verily (Alphabet subsidiary)
- Sector: Health Technology/Healthcare
- Geography: San Francisco, Federal Court jurisdiction (Implied U.S. operations affected)
## Timeline of Events
### Initial Access
- Date/Time: Not specified, prior to whistleblower discovery.
- Vector: Internal data access/use by Verily operations, allegedly without patient consent.
- Details: Use of health data belonging to more than 25,000 patients.
### Lateral Movement
- Not applicable in the context of a systemic internal data misuse allegation and subsequent whistleblower action.
### Data Exfiltration/Impact
- Data exposed/misused involved protected health information (PHI) belonging to over 25,000 patients, constituting alleged HIPAA violations.
### Detection & Response
- Detection: Internal discovery by former executive Ryan Sloan.
- Response actions taken: Sloan reported concerns to senior management; subsequently claims he was terminated. Lawsuit filed in federal court in San Francisco. Verily recently sought dismissal, which was denied by the judge.
## Attack Methodology
This submission describes a case of internal non-compliance and alleged cover-up, rather than a typical external cyberattack. The methodology relevant here is organizational failure leading to HIPAA breach:
- Initial Access: Internal operational access to controlled patient data.
- Persistence: Continuous unauthorized use of data.
- Privilege Escalation: Not applicable (Internal organizational permissions relevant).
- Defense Evasion: Alleged subsequent active cover-up of the violations.
- Credential Access: Not applicable.
- Discovery: Internal audit/discovery by whistleblower.
- Lateral Movement: Not applicable.
- Collection: Unauthorized use of patient PHI.
- Exfiltration: Unauthorized disclosure/use of PHI.
- Impact: Legal exposure, regulatory scrutiny, and patient privacy violation.
## Impact Assessment
- Financial: Potential significant legal fees and potential regulatory fines (HIPAA/OCR investigation penalties).
- Data Breach: Unauthorized use of health data for over 25,000 patients that should have been protected under HIPAA.
- Operational: Operational disruption due to internal investigation, legal proceedings, and potential mandate changes regarding data handling procedures.
- Reputational: Significant reputational damage stemming from allegations of covering up patient data misuse at a major health-tech firm.
## Indicators of Compromise
Since this centers on internal policy violation rather than external malware, specific traditional IoCs (IPs, URLs, hashes) are not provided in the source material.
- Network indicators: N/A
- File indicators: N/A
- Behavioral indicators: Unauthorized processing or access to datasets containing Protected Health Information (PHI) without documented patient consent.
## Response Actions
Based on the information available:
- Containment measures: Not specified, but likely involved stopping further unauthorized data processing upon internal discovery.
- Eradication steps: Not specified, but would involve remediating the processes that allowed unauthorized data use.
- Recovery actions: Legal defense against the pending lawsuit and compliance overhaul (implied).
## Lessons Learned
- **Internal Oversight Failure:** Serious lapses occurred allowing unauthorized use of PHI for a large patient cohort.
- **Whistleblower Retaliation Risk:** The company is facing serious allegations regarding the handling of the whistleblower who reported the issue ($1$ Sloan claims termination).
- **HIPAA Compliance Culture:** Allegations suggest a culture that prioritizes use over strict compliance protocols.
- What could have been done better: Immediate, transparent internal investigation and remediation upon discovery of the HIPAA violation, rather than alleged cover-up attempts.
## Recommendations
- Conduct a comprehensive, independent audit of all patient data usage protocols against HIPAA requirements.
- Review and strengthen the internal process for reporting and escalating compliance violations to ensure robust protection for whistleblowers.
- Implement mandatory retraining for all personnel handling PHI on consent requirements and data minimization principles.