Full NHS hospital records uploaded to Google servers, "infinitely worse" story to come

PA Consulting, a management consulting firm, obtained the entire English and Welsh hospital episode statistics database and uploaded it to Google's Bigquery service. The stats filled 27 DVDs and took "a couple of weeks" to transfer to Google's service, which is hosted in non-EU data centres. This is spectacularly illegal. The NHS dataset includes each patient's NHS number, post code, address, date of birth and gender, as well as all their inpatient, outpatient and emergency hospital records. Google's Bigquery service allows for full data-set sharing with one click.

The news of the breach comes after the collapse of a scheme under which the NHS would sell patient records to pharma companies, insurers and others (there was no easy way to opt out of the scheme, until members of the public created the independent Fax Your GP service).

According to researcher and epidemiologist Ben Goldacre, this story is just the beginning: there's an "infinitely worse" story that is coming shortly.

Sarah Wollaston, who is also a family doctor and Conservative backbencher, tweeted: "So HES [hospital episode statistics] data uploaded to 'google's immense army of servers', who consented to that?"

The patient information had been obtained by PA Consulting, which claimed to have secured the "entire start-to-finish HES dataset across all three areas of collection – inpatient, outpatient and A&E".

The data set was so large it took up 27 DVDs and took a couple of weeks to upload. The management consultants said: "Within two weeks of starting to use the Google tools we were able to produce interactive maps directly from HES queries in seconds."

The revelations alarmed campaigners and privacy experts, who queried how Google maps could have been used unless some location data had been provided in the patient information files.

NHS England patient data 'uploaded to Google servers', Tory MP says [Randeep Ramesh/The Guardian]

(via Charlie Stross)