• by Wendy Davis  @wendyndavis, April 28, 2021

Google has been hit with a lawsuit for allegedly exposing sensitive medical data of people who used its COVID-19 contact tracing app on Android devices.

The lawsuit, brought Tuesday by California residents Jonathan Diaz and Lewis Bornmann, comes several days after the security company AppCensus reported that Google's implementation of a joint Google-Apple exposure notification system places information in a system log that can be read by pre-installed apps on Androids.

“Google unequivocally assures that it completely safeguards the sensitive information necessarily involved with COVID-19 contact tracing,” Diaz and Bornmann allege in a class-action complaint brought in U.S. District Court for the Northern District of California.

Diaz and Bornmann, who say they downloaded the contact-tracing app to Android devices last December, allege that Google's implementation exposed people's “private personal and medical information associated with contact tracing.”

The lawsuit claims that Google violated their right to privacy under California law, as well as a state law regarding medical information.

Google spokesperson José Castañeda says the company has updated its code and is “ensuring the fix is rolled out to users.”

Joel Reardon, co-founder of security company AppCensus, wrote this week that his company disclosed the potential data leak to Google in February.

“As more than 60 days have elapsed, we are following Google’s recommendation that researchers publish their findings about the vulnerability,” he wrote. “Even if a patch were released to stop this logging, however, log data may have been already uploaded. It is crucial that any entity that has collected system log data from Android devices sanitize any entry containing contact-tracing data, and that this unnecessary logging be stopped as soon as possible.”