Dubbed “Project Nightingale,” the secretive program brought together Google and healthcare giant Ascension in an effort to collect medical records on patients across 21 states, according to a report in the Wall Street Journal. The data sharing began last year, and has only accelerated in recent months.

At least 150 employees at Google’s Cloud division now have access to the bulk of the data, which amounts to information on tens of millions of patients, according to a source familiar with the records. The details shared include patient names and dates of birth, hospitalization records, lab results and doctor diagnoses, which together provide a complete medical history for many of the patients – all without their consent.

Google says it hopes to use the data to develop an application employing AI and machine learning to track patients and recommend treatments, and ultimately has its eye on creating a search engine that can aggregate disparate patient data in one place. While Google is carrying out its research totally free of charge, presumably for the greater good, the multi-billion dollar corporation is unlikely to miss its chance to monetize the service once health providers around the world are hooked up. Many found Google’s initiative disconcerting, even more so due to the guise of noble and altruistic intentions.

“Wow – this is downright alarming. Do you trust Google with your blood test results, diagnoses, sensitive health information?” asked attorney and Republican National Committee member Harmeet K. Dhillon in a tweet. “Google’s secret ‘Project Nightingale’ gathers personal health data on millions of Americans.”

The company launched Google Health in 2008, but shuttered it less than four years later after failing to persuade enough users to hand over their medical records willingly, perhaps uncomfortable with the firm having access to such sensitive information. The tech giant has since cut individual consent out of its quest to amass healthcare data, going over the heads of patients to make deals with health providers instead.

In September, the company allied with the Minnesota-based Mayo Clinic to provide cloud services and data analytics in a 10-year “strategic partnership,” which will give Google access to data on up to 1 million patients at the clinic each year.

In another mass data grab earlier this month, the company purchased the maker of the fitness tracking device Fitbit, gobbling up the data of some 28 million active users of the gadget. The data goes beyond simple fitness tracking, such as the number of steps one takes per day, as some users opt to link the device to additional medical or insurance records. While Google vowed to never hand out the Fitbit information to third parties, customers may still have reason to be skeptical about the integrity of their data.

Over the summer, Google and another partnered healthcare facility, the University of Chicago Medical Center, came under fire in a lawsuit alleging the hospital gave Google medical records on hundreds of thousands of patients without stripping them of identifying information. The case mirrored a similar mishap across the pond in 2017, in which the UK’s National Health Service passed the company data on 1.6 million patients in violation of privacy laws.

The secretive data sharing between Ascension and Google is absolutely legal under US federal law, both companies said, insisting that all necessary safeguards to protect patient privacy are in place – as if it ever stopped data leaks. The 1996 Health Insurance Portability and Accountability (HIPA) Act allows hospitals and other healthcare providers to pass data to business partners without informing patients so long as it “help[s] the covered entity carry out its health care functions.”

Ascension – a network of some 2,600 hospitals, doctors’ offices and other medical facilities – says it’s doing just that, seeking to use the data to improve care and identify additional tests patients might need. However, documents reviewed by the Journal also suggest the company, like Google, has its bottom line in mind, hoping to use the data-mining to generate more revenue as well.