Google is working with one of the largest healthcare systems in the U.S. to collect patient data on millions of Americans in 21 states and across 2,600 hospitals or clinics in order to analyze it and come up with advice for better patient care and cost cutting measures.

The project was reportedly revealed by a whistleblower who said the program, dubbed "Project Nightingale," involved Ascension – the largest Catholic health system in the world – and up to 50 million private medical records from healthcare providers.

[ Further reading: Why Amazon Care may be the new model for corporate healthcare ]

It wasn't Google's only public controversy this week. Shortly after its deal with Ascension became public, The Washington Post reported that the National Institutes of Health (NIH) stopped the tech giant from posting more than 100,000 human chest x-rays.

Although the x-rays were part of a 2017 joint project with the NIH, the government agency discovered some of the images contained personally identifiable information of patients.

As for its deal with Ascension, Google said it had revealed plans to use its cloud data analytics to cull information from Ascension's patient data during a Q2 earnings call in July, though "Project Nightingale" was never mentioned during that call. "We announced 'Google Cloud's AI and ML solutions are helping healthcare organizations like Ascension improve the healthcare experience and outcomes,'" Google Cloud President Tariq Shaukat said in a blog post.

"Our work with Ascension is exactly that – a business arrangement to help a provider with the latest technology, similar to the work we do with dozens of other healthcare providers, Shaukat wrote. The list of care providers and healthcare records tech companies includes the Cleveland Clinic, the American Cancer Society, McKesson and Athena.

Shaukat said Google has a Business Associate Agreement (BAA) with Ascension, which governs access to Protected Health Information (PHI) for the purpose of helping providers support patient care.

"This is standard practice in healthcare, as patient data is frequently managed in electronic systems that nurses and doctors widely use to deliver patient care," Shaukat said.

No matter how well intentioned the project's overseers say it is, the collection of private medical data has raised the ire of patients and lawmakers who have called for a federal inquiry into the practice.

The Office for Civil Rights in the Department of Health and Human Services "will seek to learn more information about this mass collection of individuals' medical records to ensure that HIPAA protections were fully implemented," the office's director, Roger Severino, said in a statement.

Third parties compiling patient data is not only common among healthcare providers and analytics tech firms, it's perfectly legal – as long as patients have given consent by signing a common HIPAA form. And, wittingly or not, most have done so, according to Cynthia Burghard, a research director at IDC.

"Databases of this size are not uncommon," Burghard said. "On face value, I don't see an issue. They [Google] signed the HIPAA compliant document for business associate arrangements. So, they complied with the law there. When you go to a healthcare provider's office as a patient, you sign a HIPAA release form, which allows the institutions to use your data for medical research or improved care management; so there is patient consent there.

"That said, long term can you trust Google or any high-tech company ... who's used to monetizing assets to not do something bad?" Burghard said.

Many healthcare providers are storing patient data for analytics purposes in a cloud somewhere, whether it's Amazon Web Services, Microsoft's Azure or Google Cloud.

In September, controversy around patient privacy erupted when Google acquired the health division of London-based AI firm DeepMind, which built a healthcare app used to give clinicians at National Health Service [NHS] hospitals easy access to medical records. DeepMind's Streams app was already controversial after a UK privacy watchdog found the NHS had illegally handed 1.6 million patient records to DeepMind as part of a trial.

Last year, Amazon, JPMorgan and Berkshire formed a partnership to create a private healthcare company aimed at lowering the cost of care.

According to Adam Tanner, author of the book "Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records," businesses that have nothing to do with medical treatment are allowed to buy and sell healthcare data, provided they remove certain fields of information, including birth date, name and Social Security number.

The guidelines, outlined in U.S. HIPAA rules, have allowed a multi-billion-dollar market in anonymized patient data to emerge in recent years, with data-mining firms collecting dossiers on hundreds of millions of patients, according to Tanner. A growing number of data scientists and healthcare experts say the same computing advances that allow the aggregation of millions of anonymized patient files into a dossier also make it increasingly possible to re-identify those files — that is, to match identities to patients.

An earlier study by Carnegie Mellon University showed how anonymized U.S. Census data could uniquely, or nearly uniquely, identify some individuals simply by combining a few characteristics found in populations.

"Clearly, data released containing such information about these individuals should not be considered anonymous. Yet, health and other person-specific data are publicly available in this form," said Latanya Sweeney, the report author and director of the Data Privacy Lab at Carnegie Mellon University.

The healthcare information, stripped of basic personal identifiers is sold off to researchers, drug developers, marketers and others. Medical informatics companies, such as Iqvia (IMS Health), Optum, and Symphony Health reap the profits of selling the healthcare data while the people from whom it's collected have no control over how it's used. Nor do they get any compensation for it.

Last year, start-up Hu-manity.co partnered with IBM to develop a blockchain-based electronic ledger that gives consumers the cryptographic key to their personal data, even allowing patients or others to control the specific purpose for which it's used, while also allowing them to eventually profit from it.

In 2015, IBM launched its Watson Health global analytics cloud to enable healthcare providers and researchers to upload and analyze patient data for greater insights into trends and to "improve individual and overall patient outcomes." The next year, IBM bought Truven Health Analytics for $2.6 billion, adding a trove of previously amassed patient data to its collection. It was IBM's fourth major health data-related acquisition since launching the Watson Health unit.

At the time of the Truven buyout, IBM Health announced it had healthcare data on "approximately 300 million patient lives," most from the U.S.

When IBM bought Truven, it got tens of millions of records and years of [health insurance] claims data "they could monetize by selling analysis and reports and access to your claims data," Burghard said.

Leo Wolfert / Getty Images

In the same way, Google's cloud analytics platform uses AI and machine learning to process patient data and deliver potential best practices for care and cost savings.

Amazon, Apple, Microsoft and other tech giants are also entering the healthcare arena, either with applications that enable access to patient electronic healthcare records, or with their own in-house healthcare programs.

Earlier this year, pharmacy giant CVS and its healthcare insurance subsidiary, Aetna, released an app that lets members opt-in to sharing their EMRS with Apple's health service; in turn, Apple will offer Apple Watch wearers personalized fitness and health goals.