Latest in Breach

Image credit:

UK patients' data uploaded to Google servers, serious privacy concerns ensue (update)

Sarah Silbert

Sponsored Links

The National Health Service (NHS) of England has come under fire lately amid plans to share patient data with researchers and private companies, and today's revelation will only pile on the privacy concerns. The Guardian reports that extensive patient information from its HES (hospital episode statistics) data has been uploaded to Google servers. Patients' stats -- including their addresses, hospital records and more -- was uploaded to Google's BigQuery analytics tool by management consulting firm PA Consulting.

The fact that sensitive patient data has been uploaded -- to Google servers outside of the European Union, no less -- may be a huge breach in and of itself, but members of Parliament and patient groups are also questioning exactly how much data has been shared. PA Consulting said it produced interactive maps of hospital data, which implies that location info from patients' files was disclosed. And according to The Independent, patient information has been used by marketers to "target ads on social media." Clearly, there are many unanswered questions here, though more details are likely to emerge as the UK's Health and Social Care Information Center (HSCIC) investigates.

Update: This article originally stated that the "entire patient database for the NHS" was uploaded to Google servers, though only the HES database was uploaded.

Update 2: We also originally reported that it wasn't clear how PA Consulting obtained this data, though it actually requested access and worked with the NHS. The company provided us with the following statement:

Over the past two years we have run a project to show the NHS how insight can be quickly and cost-effectively generated from large volumes of health data, enabling better care for patients. PA signed a data sharing agreement to gain access to the Hospital Episode Statistics dataset from the Health and Social Care Information Centre. The dataset does not contain information that can be linked to specific individuals and is held securely in the cloud in accordance with conditions specified and approved by HSCIC. Access to the dataset is tightly controlled and restricted to the small PA project team.

PA Consulting also directed us to this statement from the HSCIC, which confirms its agreement to share anonymized data with the consulting firm. It also confirms that the NHS Information Center was aware that PA Consulting uploaded data to Google BigQuery, but that Google employees were restricted from accessing the information.

(Photo credit: Getty Images)

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr