A Tory MP has raised the alarm after the entire NHS hospital patient database for England was given to management consultants who uploaded it to Google servers based outside the UK. Sarah Wollaston, previously a family doctor and now a Conservative backbencher, found that PA Consulting had bought data for inpatients, outpatients and Accident and Emergency before uploading it to Google. The amount of data was so large it took up 27 DVDs and took two weeks to upload to Google’s servers.
PA Consulting used a special Google tool called BigQuery to analyse the data. The company said the data didn’t contain “information linked to specific individuals”. Concerns have been raised that storing the data on Google’s systems could easily see it leaked or inadvertently shared. In a report, PA Consulting boasted that two weeks after uploading the patient data to Google’s BigQuery service, it was able to “produce interactive maps in seconds”. In a separate incident an online mapping company had its website hauled offline amid concerns it had acquired identifiable patient records without regulatory scrutiny. Hertfordshire-based Earthware hosted a tool that could locate areas in England where specific people had gone for treatment. While this didn’t name individual patients, there was a significant risk that people could have been identified, despite data-protection rules that limit the release of data about fewer than five individuals. Health authorities have launched an investigation.
The NHS is currently embroiled in a debate over protection of patient data, with reports that pharmaceutical firms, private health providers and Government departments had either attempted to or obtained patient data. Last month NHS England announced a six-month delay to its much-criticised care.data scheme (www.nhs.uk/caredata), which linked GP reports with hospital data.