Experts have called this news very worrying.
"This is a clear example of a lack of transparency in how hospitals are handling patient data", says Kevin Curran, a professor of cybersecurity at the Department of Computing, Engineering and the Built Environment at Ulster University.
He believes that tighter regulations on patient data sharing should be introduced in the US as the Internet is now an integral part of people's lives.
"In Europe, we have the General Data Protection Regulation (GDPR) which seeks to give control to EU residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU", the professor of cybersecurity explained.
GDPR covers patient data as well.
"In Europe, sharing data without permission would be against GDPR's data protection principles where users have to be informed as to how their personal data is used. They can no longer use 'dark design patterns' to trick users into consent. Now, consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in consent", Curran added.
On 1 November Google announced that it is buying fitness tracker company Fitbit for $2.1 billion.
Fitbit reassured its users that they take the privacy of millions of their users seriously: "Fitbit health and wellness data will not be used for Google ads", the wearable company said in its press release.
But the cybersecurity scholar noted that this acquisition will give Google access to the data already recorded by over 28 million active Fitbit users.
"This data would include steps, speed, meals and more. This allows Google to mine it to improve its own Wear OS. Google wish to compete with Apple's activity app. The data ultimately allows Google to create more personalised and accurate logging of users activities. Access to millions of records from other health providers also allows Google to learn more. The problem, however, is that patients did not consent. This is wrong", Curran concluded.
It's not the first time the tech giant has been accused of harvesting users' personal data.
In September, Google agreed to pay $170 million after its video service YouTube was accused of violating US federal law by collecting personal information about children. The US Federal Trade Commission (FTC) slapped the company with a $136 million fine, while the New York Attorney General with $34 million.
The FTC said on Wednesday that YouTube violated the Children's Online Privacy Protection Act (COPPA) by using cookies to attract viewers of children's channels under the age of 13 without parental consent and then using data collected to target them with ads.
And in July this year, it was revealed that Google's Android apps are harvesting users' data even if they don't give permission to do so.
A study by the International Computer Science Institute analysed 88,000 Android apps from the Google Play store and discovered that over 1000 apps used other channels to collect data, including getting it from Wi-Fi connections or users metadata that's often included in photos.