A former Alphabet executive is accusing the company's health tech subsidiary Verily of systematically violating patient privacy laws and then covering it up. Ryan Sloan claims he was fired after reporting that Verily used health data from over 25,000 diabetes patients without authorization, breaching federal HIPAA protections. The whistleblower lawsuit, quietly filed last year but just surfaced, survived Verily's attempt to dismiss it this week.
The bombshell allegations paint a picture of corporate negligence at one of Google's most ambitious health ventures. Sloan, who served as chief commercial officer of Verily's diabetes division Onduo from 2020 to 2023, claims he discovered the violations in January 2022 alongside the unit's general counsel Julia Feldman. According to court documents filed in San Francisco federal court, their investigation revealed "extensive violations" spanning four years.
The breaches weren't minor oversights. Verily allegedly used protected patient information in research studies, marketing campaigns, press releases, and national conferences without proper authorization. The violations affected patients who accessed Verily's Onduo diabetes program through major corporate clients including Walgreens Boots Alliance, Quest Diagnostics, Delta Air Lines, and Highmark Health.
"Between January and March of 2022, internal investigators at Verily confirmed multiple breaches of fourteen separate HIPAA Business Associate Agreements," the filing states. Under federal healthcare privacy laws, companies must notify affected parties within 60 days of discovering a breach. Instead, Verily "decided to delay the decision of notifying the covered entities" and continued contract negotiations with clients "without revealing that a HIPAA breach had recently occurred."
The cover-up allegations are particularly damning. During a contract renewal negotiation with Highmark Health in August 2022, Verily allegedly "represented that it was in compliance with HIPAA at all times, while knowingly concealing that a HIPAA breach had occurred," according to the lawsuit. That same month, the company terminated Feldman and another employee who knew about the breaches.
When Sloan pressed his concerns with Lisa Greenbaum, Verily's then-chief revenue officer, in October 2022, she allegedly defended the decision not to disclose the breaches, saying it would "negatively affect public relations." Greenbaum has since moved to health tech company Doximity as chief commercial officer.
The retaliation escalated through late 2022. In November, Verily allegedly suppressed a press release "out of concern that it would draw attention to previous marketing studies that violated its HIPAA Business Associate Agreements." The company pulled the release from its website and instructed staff never to mention it again, the filing claims.
Sloan's termination came in January 2023 while he was on protected family leave caring for his "critically ill mother," according to the lawsuit. The timing appears designed to send a message to other potential whistleblowers.
Verily vehemently denies the allegations. "Verily believes the allegations and contentions alleged in this employment matter that was commenced in 2023 are completely without merit," a company spokesperson told CNBC. "Verily will defend itself to the full extent of the law."
But the legal setback comes at a vulnerable time for the Alphabet subsidiary. Despite raising over $1 billion from investors since spinning out of Google X in 2015, Verily has struggled to find its footing. The company pivoted from hardware like glucose monitors to pandemic response during COVID-19, then shifted again to "precision health" in 2022. According to a Business Insider report, Verily is now restructuring from an LLC to a C-corp to attract fresh funding.
The affected corporate clients are staying mostly quiet. Delta said it's "looking into this and will make sure any impact to our people is appropriately addressed." Quest Diagnostics said it's "not familiar with the allegations." Walgreens and Highmark declined to comment.
This lawsuit represents more than just another corporate compliance failure - it strikes at the heart of trust in big tech's healthcare ambitions. As Google, Amazon, Apple, and Microsoft all push deeper into medical data and AI-powered healthcare, patient privacy violations at this scale could trigger regulatory scrutiny across the industry.
Monday's court ruling keeping the lawsuit alive means Verily faces months of discovery and potential depositions that could reveal more details about the alleged cover-up. For Alphabet investors, the case adds regulatory risk to a subsidiary already struggling to justify its billion-dollar investment. More broadly, it's a warning shot for big tech companies handling sensitive health data - the days of moving fast and breaking things don't work when patient privacy is on the line.
