This week, Google was strung up in the public square for a deal with a very large U.S. healthcare provider that netted it access to some 50 million patient healthcare records—without patients’ or doctors’ knowledge. As Google pushes more deeply into healthcare, Americans are left wondering whether they’re unwittingly handing over personal information to a company that has a history of mishandling it.

On Monday, the Wall Street Journal broke a story about how healthcare provider Ascension was providing Google with access to millions of patient health records as part of a project called Nightingale. Google had mentioned a partnership with Ascension during its second quarter earnings call, though the details of it were not previously known. The WSJ report revealed that Google is creating productivity tools for doctors that sift through complete medical records for pertinent data and make recommendations. The scope of the project and the public outrage has drawn the eyes of the Civil Rights Office of the Department of Health and Human Services, which is looking into whether Google is appropriately accessing patient data and adequately safeguarding it.

In an op-ed in the Guardian, an anonymous whistleblower who worked on Nightingale said they think there is great promise in using Google’s enormous computing power on medical data. “But the disadvantages prey on my mind,” they wrote. “Employees at big tech companies having access to personal information; data potentially being handed on to third parties; adverts one day being targeted at patients according to their medical histories.”

In response, Google has only issued a somewhat bewildering blog post, in which it explains the project and promises to work with regulators. The company also notes that it has a whole list of healthcare partners, including Cleveland Clinic, Kaiser Permanente, and the Mayo Clinic, among others, many of which are listed publicly. Much of what they use is Google cloud hosting and the productivity software G-suite. Some are also using Apigee, an app development and management platform that lets companies open up their data to outside developers. Kaiser Permanente first started using Apigee in 2013 to let developers create apps around its services, locations, and hours of operation (Google acquired Apigee in 2016).

As healthcare migrates online, there are questions about how patient data will be kept safe.

While Google hasn’t clarified the extent of its other partnerships, what Ascension and Google are working on is more representative of what Google wants to do in the future. The two companies are shifting Ascension’s healthcare infrastructure and data to the cloud and developing new tools they hope will make medical care better. Despite outcry over the lack of consent Google and Ascension obtained, the fact that patients were not notified of this arrangement is not necessarily unusual. HIPAA requires that electronic patient data must be kept confidential, but allows providers to disclose it for operational purposes like “improvement activities” as long as they have a business associate agreement outlining protections. HIPAA also requires healthcare providers to only share the minimum data necessary. But HIPAA, written in 1996, is not tailored for the digital age. As healthcare migrates online, there are questions about how patient data will be kept safe.

While Google’s creep into the healthcare system has been quiet, certainly its intentions have not. Alphabet, Google’s parent company, has been developing healthcare technology inside of Verily and DeepMind for years. In October, at a health tech conference in Las Vegas called HLTH, Google’s head of health David Feinberg spoke onstage at length about everything the company has planned and is already doing: making medicine more predictive and patient data more portable.

“Imagine a search bar on top of your [electronic health record] that needs no training. You can write ‘pneumonia’ and ‘chest X-ray’, you could even spell ‘penicillin’ wrong, you can ask for blood counts, and we know what you’re thinking about the same way we do when you Google-search in the rest of your life,” he said. Of course, all that takes precious patient data.