Full NHS hospital records uploaded to Google servers, "infinitely worse" story to come

PA Consulting, a management consulting firm, obtained the entire English and Welsh hospital episode statistics database and uploaded it to Google's Bigquery service. The stats filled 27 DVDs and took "a couple of weeks" to transfer to Google's service, which is hosted in non-EU data centres. This is spectacularly illegal. The NHS dataset includes each patient's NHS number, post code, address, date of birth and gender, as well as all their inpatient, outpatient and emergency hospital records. Google's Bigquery service allows for full data-set sharing with one click.

The news of the breach comes after the collapse of a scheme under which the NHS would sell patient records to pharma companies, insurers and others (there was no easy way to opt out of the scheme, until members of the public created the independent Fax Your GP service).

According to researcher and epidemiologist Ben Goldacre, this story is just the beginning: there's an "infinitely worse" story that is coming shortly.

Sarah Wollaston, who is also a family doctor and Conservative backbencher, tweeted: "So HES [hospital episode statistics] data uploaded to 'google's immense army of servers', who consented to that?"

The patient information had been obtained by PA Consulting, which claimed to have secured the "entire start-to-finish HES dataset across all three areas of collection – inpatient, outpatient and A&E".

The data set was so large it took up 27 DVDs and took a couple of weeks to upload. The management consultants said: "Within two weeks of starting to use the Google tools we were able to produce interactive maps directly from HES queries in seconds."

The revelations alarmed campaigners and privacy experts, who queried how Google maps could have been used unless some location data had been provided in the patient information files.

NHS England patient data 'uploaded to Google servers', Tory MP says [Randeep Ramesh/The Guardian]

(via Charlie Stross)

Notable Replies

  1. I am just going to take a wild guess and say that it was actually on 27 discs. That is the way the US gov't delivers data too. It's more about the tedious job it was than the amount of data.

  2. Reporters don't go far enough, in my opinion. The real question is how many floppy discs are we talking about and if laid end-to-end, how far would they reach?

  3. I want to know if the punchcards would stack to the moon.

  4. I've been poking around - might have got this wrong, but here goes:

    HSCIC have released a statement saying that they released the data to PA Consulting, with a very strict agreement to limit the use of the data to certain named individuals.

    HSCIC have released another statement saying that they are "investigating urgently the source of the data used by Earthware UK"

    It looks like this Earthware company developed a mapping tool using this data - there's a screenshot at - https://twitter.com/cknott20/status/440548069373779968/photo/1

    Earthware's blog has (had) a post from October 2013, stating "As well as our Hospital Episodes Map which Healthcare companies and the NHS use to understand the flow of patients through the healthcare system, containing details of all admissions, outpatient appointments and A&E attendances at NHS hospitals in England. A useful tool to know what goes on where!"

    So, quite possibly, this data was searchable and publicly available.

  5. Well, it now turns out that confidential health service data was delivered to an agency set up by Lovecraftian Great Old Ones, who used the information to rank every person in the British Isles according to their edibility, accompanying the ratings with tasting notes ("a naive little primary school teacher with a rather velvety finish and poignant aftertastes of apricot and childhood sadness"). Acting on this information, Hastur the Unspeakable recently ate Glasgow and everyone in it.

    So yes, 'infinitely worse' may be an exaggeration, but less than you might think.

Continue the discussion bbs.boingboing.net

46 more replies