Major health data breaches and scandals

For an overview and account of significant cases and high-profile scandals involving health data in the years preceding 2013, we recommend the presentation [245KB PowerPoint file] by Ross Anderson, Professor of Security Engineering at the University of Cambridge Computer Laboratory, given at medConfidential’s launch conference, ‘Your Health: Your Records, Your Choice’.

In (roughly) reverse chronological order:

NHS Digital audits, 2016 to present

NHS Digital audits recipients of the data it releases on a rolling basis. A number of these audits reveal significant breaches of contract, and even breaches of data protection law, but – absent the statutory basis promised in 2014 – no recipient has received any lasting sanction, and no record of follow-up is published in some instances.

  • Having already been found to have breached its contract in September 2016, NHS Digital’s audit of Harvey Walsh (published in April 2017) revealed what appeared to be at least 4 breaches of the DPA; medConfidential asked the ICO and others to investigate…
    • The ‘information intermediary’ which, during the height of, boasted it held “over a billion linked patient HES records” continues to receive HES, and to service customers such as Pharma marketers under a commercial re-use agreement.
  • Other data recipients found to have committed major breaches of contract and/or significant bad practice include:
    • Moorfields Eye Hospital, January 2018 – processing and storing data at locations not stated in its Data Sharing Agreement; sharing data with third parties without proper agreement; failure to suppress small numbers* in data shared with third parties; several failures of security and operational procedure.
    • NHS South, Central and West Commissioning Support Unit, August 2017 – in servicing several CCGs, the CSU failed to identify that data were being processed outside of the EEA for over 18 months; all parties failed to identify correctly who was the Data Controller and who the Data Processor.
    • Health IQ, August 2016 – breach of Data Sharing Agreement by holding and processing data outside of the UK; failure to adequately suppress small numbers in data used in its online tool; several failures of security and operational procedure.
    • Methods Analytics, May 2016 – breach of Data Sharing Framework Contract and Data Sharing Agreement by holding and processing data outside of the UK; failure to adequately suppress small numbers in data used in an online tool; several failures of security and operational procedure.
      *That small number counts remained to be suppressed in data released by NHS Digital clearly indicates that HES is not anonymous data under the GDPR definition.
  • Some of the above breaches may be considered all the more serious given that NHS Digital wrote to all data recipients following the discovery in late 2015 that several other recipients were storing and processing data on Amazon servers based in the Republic of Ireland, in breach of their Data Sharing Agreements.
  • medConfidential considers some of what NHS Digital deems “minor” security or operational breaches as potentially far more serious, given that a single breach of HES (see, e.g. ‘HES scandal, 2014’ below) could result in the entire nation’s hospital histories being made available, forever, on the black market. One of the greatests risk to patients’ data is not what may be done to it by people under contract, but by those who are not.

Home Office Memorandum of Understanding

For years, NHS Digital and its predecessor bodies, NHS IC and HSCIC, passed patients’ details – including their name, address and the details of their GP – to the Home Office, on HO officials’ assertions that immigration offences had taken place.

Grindr leaking HIV status; Samaritans’ Radar

Apps ‘leaking’ sensitive personal data is far from unprecedented – see also ‘NHS Apps Library’ below. In April 2018 it was revealed that popular gay dating app, Grindr, shared information about its users’ HIV status with third parties.

Persistence of ‘scammers’

Companies once given access to vast quantities of linked, individual-level patient data are reluctant to give it up. A number of outfits whose activities were suspended in 2014, following revelations about what they had been doing with HES, have since attempted to return to this profitable market. (See also ‘Pharmacy2U’ below.)

  • Earthware, which shut down its online tool and allegedly most of of its operations servicing pharmaceutical companies as a result of the HES revelations in 2014, appears to have re-opened that line of business.
  • Some of the directors of SVM Pharma previously ran a company called OmegaSolver, which sold a tool called HALO Patient Analyser. The directors put OmegaSolver into liquidation after HSCIC looked into it in 2014, then started a new company which in late 2016 applied to NHS Digital for exactly the same data.
    • It was entirely coincidental that we noticed and tweeted about it in January 2017, and that someone from DAAG – the precursor to IGARD – noticed our tweets and asked NHS Digital to look into it, which then declined SVM Pharma’s application that was at that point being considered for approval.

Public Health England and William E Wecker Associates

Data from the medical records of 180,000 British lung cancer victims was provided to a controversial American firm, William E Wecker Associates, that has worked for one of the world’s biggest tobacco companies, Philip Morris International, for nearly 3 decades.

  • While now published as statistics, this case highlighted deficiencies of procedure at PHE and the fact that Data Protection law is effectively mute when it comes to handing NHS patients’ health data to a tobacco company.
  • PHE tells the public, “Cancer registration data will only be approved for release where the data is being used for a medical purpose.” – it is difficult to determine the medical purpose in this case, and for this recipient of data.
  • While it tries to present itself as the analogue of NHS Digital, PHE has neither the same statutory basis to disseminate data, nor does it apply the same policies – or even apply the policies it does have consistently, or accurately.

Google DeepMind / Royal Free Hospital

Google DeepMind cut a deal with the Royal Free Hospital and, without informing patients, copied 1.6 million people’s hospital records with the explicit intention of feeding the data to its AI. Following widespread criticism and a protracted investigation, the whole deal was found to be unlawful.

TPP exposes 26 million patients’ GP records

TPP’s implementation of record sharing in its IT systems – effectively mandating an ‘all or nothing’ approach to viewing records across all 6,600 of its customers, affecting 3,000 GP practices and 26 million NHS patients – was one of the largest ever breaches of medical confidentiality and sensitive personal data under the Data Protection Act.

Boots abusing SCR

High street pharmacy chains with increasingly predatory business models were given access to NHS patients’ Summary Care Records in 2015.

  • The national scheme to give pharmacists access was approved based on “research” that gathered responses from just 15 patients, and persistent lobbying by pharmacists.
  • Boots set targets and consistently applied pressure to staff in its stores to perform the maximum 400 Medicine Use Reviews (MURs) per year; the company makes £28 profit from each MUR, or £30 million per year.
  • Despite research by the Pharmacists’ Defence Association and multiple hearings in front of the regulator, the General Pharmaceutical Council, Boots has received no sanctions.

NHS Apps Library

In 2015, researchers at Imperial College London and Ecole Polytechnique CNRS, France, revealed a number of serious flaws with health apps being promoted by the NHS, which had launched a pilot Health Apps Library in 2013.

Pharmacy2U and marketing to patients

In early 2015, a wide-ranging investigation of dodgy data practices by the Daily Mail uncovered that the names and addresses of over 21,500 NHS patients, customers of the UK’s largest online pharmacy – part-owned by EMIS, the UK’s largest GP IT supplier – had been sold to marketers.

  • medConfidential complained on behalf of patients who had contacted us to the ICO and the General Pharmaceutical Council.
  • The ICO’s investigation, which resulted in a £130,000 fine, found that Pharmacy2U had unlawfully and unfairly sold patients’ personal data either directly, or through intermediaries, to scammers including:
    • Australian Lottery fraudsters targeting male pensioners who were more likely to have chronic health conditions, or cognitive impairments;a Jersey-based ‘healthcare supplement’ company which the Advertising Standards Authority ruled against for “misleading advertising” and “unauthorised health claims”;and a UK charity which used the details to solicit donations for people with learning disabilities.
  • At a fitness hearing in May 2016, the General Pharmaceutical Council suspended Pharmacy2U’s commercial director for three months, and gave its chief operating officer a warning. Meanwhile, the BMA called for called for custodial sentences and EMIS (bottom of page 5) sold its holding in P2U for £1.5 million. A year later, in 2017, a CQC report found Pharmacy2U to be “unsafe, not well led and ineffective”.

HSCIC HES scandal

Having been assured on national media by the head of NHS England’s programme that “no breaches” of Hospital Episode Statistics (HES) had occurred in 20 years, medConfidential investigated and discovered through Freedom of Information requests:

  • For those years the Health and Social Care Information Centre (HSCIC) could tell us about, under its predecessor the NHS Information Centre (NHSIC), there were known serious breaches* of HES in 2009, 2010, 2011 and 2012.
  • Published release registers from the period revealed NHSIC selling data to insurers; this turned out not to be unlawful, and led in part to amendments in the Care Act 2014 intended to prevent this in future. (Unfortunately, the “promotion of health” loophole remains for marketing.)
  • The Partridge Review that followed revealed systemic failings at NHSIC, that continued under HSCIC. It also publicly uncovered for the first time the existence of the ‘National Back Office’ (NBO) that passed patients’ information to the police, Home Office and others. (It was the ‘formalisation’ of this practice that led to the heavily criticised DH / NHS Digital / HO MoU that was suspended in 2018.)
  • It was the ongoing practice of HSCIC – renamed NHS Digital after these toxic revelations – that led to the Type-2 undertaking, which to this day and despite over 1.2 million patients exercising this opt-out,  NHS Digital refuses to honour for HES.
    * The documentation reveals at least one incident where even the legal basis for handling the identifiable patient data that was breached was unclear.

NHS England’s programme, January 2014 – May 2016

In January 2014, NHS England launched, an initiative to combine information extracted from patients’ GP records with information gathered from hospitals, care providers and social services to make a single centralised database for a range of purposes (‘secondary uses’) other than patients’ direct care – including commissioning, research and commercial reuse.

HES uploaded to Google BigQuery

With the encouragement of NHS England, PA Consulting uploaded over 10 years’-worth of data from NHS patients’ hospital records to Google’s US-based cloud service, BigQuery.

Unfortunately, illegal snooping by
authorised users and blaggers is a persistent, long-term problem…

So many people have access to NHS IT systems, for so many different reasons, that it is virtually impossible to prevent inappropriate and unlawful access to patients’ records. Even when this is discovered, the actions taken vary widely. Examples include:

  • As reported in May 2018, two members of NHS staff were disciplined – one was sacked, one was given a written warning – for reading Ed Sheeran’s medical records.
    • The information published in the news item about his accident would provide details more than sufficient to identify Mr Sheeran’s full medical history in HES: the date of event, the hospital attended, the nature of injury, and his home town (from which it is easy to find the truncated portion of the postcode used in HES).
  • A former vascular data coordinator at the Royal Stoke University Hospital, who resigned while under investigation, was fined £1,000 for accessing 398 patient records between October 2014 and April 2016.
  • When it came to light in 2011, the doctor who browsed the medical records of Prime Minister Gordon Brown, First Minister Alex Salmond and other high-profile Scots was never prosecuted.
  • As the Leveson Inquiry went on to prove, while individual curious and/or maliciously motivated people will always go snooping, the editors of some national newspapers – at least one of whom is still subject to ongoing legal actions in May 2018 – took a more systematic approach.

The only way to be sure who has accessed your records is to check for yourself. This is why medConfidential encourages anyone who has concerns to get a Patient Online account, and use the online mechanisms now being made available by GP practices.

Leave a Reply

Your email address will not be published. Required fields are marked *