Google has gained access to a huge trove of US patient data - without the need to notify those patients - thanks to a deal with a major health firm.
The scheme, dubbed Project Nightingale, was agreed with Ascension, which runs 2,600 hospitals.
Google can access health records, names and addresses without telling patients, according to the Wall Street Journal, which first reported the news.
The tech giant said this was "standard practice".
Among the data Google reportedly has access to under the deal are lab results, diagnoses, records of hospitalisation and dates of birth.
Neither doctors nor patients need to be told that Google can see this information.
The Wall Street Journal reports that data access began last year and was broadened over the summer.
In a blog, Google said its work with Ascension would adhere to industry-wide regulations, such as the US Health Insurance Portability and Accountability Act of 1996 (HIPAA).
"To be clear... patient data cannot and will not be combined with any Google consumer data," the firm added.
Ascension said the deal would help it to "optimise" patient care and would include the development of artificial intelligence (AI) tools to support doctors.
The company also said it would begin using Google's cloud data storage service and business applications known as G Suite.
However, Project Nightingale has already attracted criticism from those who argue that it takes away patients' control of their own data.
"There's a massive issue that these public-private partnerships are all done under private contracts, so it's quite difficult to get some transparency," said Prof Jane Kaye at the University of Oxford.
"Google is saying they don't link it to their other data but what they're doing all the time is refining their algorithms, refining what they do and giving them[selves] market advantage."
Health organisations are under increasing pressure to improve efficiency and quality of care. Many are turning to AI in an effort to sharpen their services, but such moves have sometimes faced criticism over how sensitive patient data is handled.
In the UK, Google's AI-focused subsidiary DeepMind was found to have broken the law when it failed to explain properly to patients how their data would be used in the development of a kidney disease app.
The tool, called Streams, was designed to flag up patients at risk of developing acute kidney injury.