Subscribe to Inc. This Morning, a daily news digest curated for those interested in entrepreneurship.

On Monday, the Wall Street Journal broke a big piece of news: Google has been amassing personal health data on 50 million Americans since 2018, and the patients (and their doctors) didn't even know.

Spent time in one of the 2,600-plus hospitals, doctors' offices, or nursing homes owned by Ascension, one of the U.S.'s largest health-care systems? Google may have access to your health records right now.

Arguably, the craziest part of this story isn't that Google has access to the personal health information of so many people. Rather, it's that the company's Project Nightingale, as it's been code-named, didn't have to become a scandal in the first place. 

Imagine this: Back in 2018, when Google and Ascension reportedly first struck their data-sharing deal, you got an email explaining what was happening. It noted that Ascension was using Google's cloud services to securely store health data, and that your doctor-patient confidentiality would remain safe. You might be skeptical--after all, Google doesn't have the best recent track record with data privacy--but you would at least know what was happening with your records. 

Instead, you're finding out through a newspaper's investigative report. You're learning that at least 150 Google employees could have access to your confidential data. And Google's response--a blog post published on Monday after the Journal article came out--doesn't inspire confidence. Not when it starts like this: "Today, we're proud to announce more details on our partnership with Ascension," as if the deal had just been signed.

Now, you probably have a lot of questions. A big one is what exactly Google will do with these records, given that a huge part of its business model centers around monetizing personal data. The company's blog post says "patient data cannot and will not be combined with any Google consumer data," but the Journal's follow-up report Tuesday says Google staffers are still parsing the data "and aren't yet positive what insights might be found or eventually produced."

Google insists the deal is legal. The Journal spoke to privacy experts who agree--but noted that if the company were to use the personal health data to perform independent research, that would be illegal.

Even if Google always intended to follow both the letter and spirit of the law, its lack of transparency sends a very different message. Being upfront with patients as early as possible might not have helped Google avoid all scrutiny in this situation--after all, health data is incredibly personal.

But it's the obviously non-evil thing to do. Remember that motto, Google?