For an overview and account of significant cases and high-profile scandals involving health data in the years preceding 2013, we recommend the presentation [245KB PowerPoint file] by Ross Anderson, Professor of Security Engineering at the University of Cambridge Computer Laboratory, given at medConfidential’s launch conference, ‘Your Health: Your Records, Your Choice’.

In (roughly) reverse chronological order:

NHS Digital audits, 2016 to present

NHS Digital audits recipients of the data it releases on a rolling basis. A number of these audits reveal significant breaches of contract, and even breaches of data protection law, but – absent the statutory basis promised in 2014 – no recipient has received any lasting sanction, and no record of follow-up is published in some instances.

• Having already been found to have breached its contract in September 2016, NHS Digital’s audit of Harvey Walsh (published in April 2017) revealed what appeared to be at least 4 breaches of the DPA; medConfidential asked the ICO and others to investigate…
  • The ‘information intermediary’ which, during the height of care.data, boasted it held “over a billion linked patient HES records” continues to receive HES, and to service customers such as Pharma marketers under a commercial re-use agreement.
• Other data recipients found to have committed major breaches of contract and/or significant bad practice include:
  • Moorfields Eye Hospital, January 2018 – processing and storing data at locations not stated in its Data Sharing Agreement; sharing data with third parties without proper agreement; failure to suppress small numbers* in data shared with third parties; several failures of security and operational procedure.
  • NHS South, Central and West Commissioning Support Unit, August 2017 – in servicing several CCGs, the CSU failed to identify that data were being processed outside of the EEA for over 18 months; all parties failed to identify correctly who was the Data Controller and who the Data Processor.
  • Health IQ, August 2016 – breach of Data Sharing Agreement by holding and processing data outside of the UK; failure to adequately suppress small numbers in data used in its online tool; several failures of security and operational procedure.
  • Methods Analytics, May 2016 – breach of Data Sharing Framework Contract and Data Sharing Agreement by holding and processing data outside of the UK; failure to adequately suppress small numbers in data used in an online tool; several failures of security and operational procedure.
    *That small number counts remained to be suppressed in data released by NHS Digital clearly indicates that HES is not anonymous data under the GDPR definition.
• Some of the above breaches may be considered all the more serious given that NHS Digital wrote to all data recipients following the discovery in late 2015 that several other recipients were storing and processing data on Amazon servers based in the Republic of Ireland, in breach of their Data Sharing Agreements.
• medConfidential considers some of what NHS Digital deems “minor” security or operational breaches as potentially far more serious, given that a single breach of HES (see, e.g. ‘HES scandal, 2014’ below) could result in the entire nation’s hospital histories being made available, forever, on the black market. One of the greatests risk to patients’ data is not what may be done to it by people under contract, but by those who are not.

Home Office Memorandum of Understanding

For years, NHS Digital and its predecessor bodies, NHS IC and HSCIC, passed patients’ details – including their name, address and the details of their GP – to the Home Office, on HO officials’ assertions that immigration offences had taken place.

• The existence of the National Back Office (NBO) is exposed by the Partridge Review in 2014; new data release registers reveal the Home Office is by far the largest user of NBO’s Tracing Service.
• A National Back Office Tracing Service review led by Professor Maria Goddard is begun in 2015. The review stalls in 2016, and is not finally published until November 2017.
• In late 2016, an MoU is signed to “formalise” NHS Digital’s ongoing practice, but this dangerously expands the information given about patients to the Home Office.
• Having considered the MoU in 2017, the Health Select Committee holds an inquiry in early 2018, the outcome of which is highly critical.
• Government suspends the MoU and halts the process as Windrush scandal escalates, May 2018; the threshold for NBO passing on patients’ information is raised to serious crime.

Grindr leaking HIV status; Samaritans’ Radar

Apps ‘leaking’ sensitive personal data is far from unprecedented – see also ‘NHS Apps Library’ below. In April 2018 it was revealed that popular gay dating app, Grindr, shared information about its users’ HIV status with third parties.

• Grindr sent HIV information together with users’ GPS data, phone ID and email, thus identifying specific people and their HIV status.
• Although initially well-intentioned, the Samaritans’ Radar app that was supposed to detect when people on Twitter appeared to be suicidal had to be pulled within a week of its launch in October 2014, due to “serious” concerns.

Persistence of ‘scammers’

Companies once given access to vast quantities of linked, individual-level patient data are reluctant to give it up. A number of outfits whose activities were suspended in 2014, following revelations about what they had been doing with HES, have since attempted to return to this profitable market. (See also ‘Pharmacy2U’ below.)

• Earthware, which shut down its online tool and allegedly most of of its operations servicing pharmaceutical companies as a result of the HES revelations in 2014, appears to have re-opened that line of business.
• Some of the directors of SVM Pharma previously ran a company called OmegaSolver, which sold a tool called HALO Patient Analyser. The directors put OmegaSolver into liquidation after HSCIC looked into it in 2014, then started a new company which in late 2016 applied to NHS Digital for exactly the same data.
  • It was entirely coincidental that we noticed and tweeted about it in January 2017, and that someone from DAAG – the precursor to IGARD – noticed our tweets and asked NHS Digital to look into it, which then declined SVM Pharma’s application that was at that point being considered for approval.

Public Health England and William E Wecker Associates

Data from the medical records of 180,000 British lung cancer victims was provided to a controversial American firm, William E Wecker Associates, that has worked for one of the world’s biggest tobacco companies, Philip Morris International, for nearly 3 decades.

• While now published as statistics, this case highlighted deficiencies of procedure at PHE and the fact that Data Protection law is effectively mute when it comes to handing NHS patients’ health data to a tobacco company.
• PHE tells the public, “Cancer registration data will only be approved for release where the data is being used for a medical purpose.” – it is difficult to determine the medical purpose in this case, and for this recipient of data.
• While it tries to present itself as the analogue of NHS Digital, PHE has neither the same statutory basis to disseminate data, nor does it apply the same policies – or even apply the policies it does have consistently, or accurately.

Google DeepMind / Royal Free Hospital

Google DeepMind cut a deal with the Royal Free Hospital and, without informing patients, copied 1.6 million people’s hospital records with the explicit intention of feeding the data to its AI. Following widespread criticism and a protracted investigation, the whole deal was found to be unlawful.

• More detail and references in medConfidential’s analysis of the DeepMind / Royal Free deal, from its inception in 2015 to when it was determined to be unlawful in 2017.

TPP exposes 26 million patients’ GP records

TPP’s implementation of record sharing in its IT systems – effectively mandating an ‘all or nothing’ approach to viewing records across all 6,600 of its customers, affecting 3,000 GP practices and 26 million NHS patients – was one of the largest ever breaches of medical confidentiality and sensitive personal data under the Data Protection Act.

• GPs were not told that TPP’s “enhanced data sharing” function made their patients’ records available to view by hundreds of thousands of other TPP users – including staff in care homes and prisons, immigration removal centres and police station custody suites.
• TPP’s system had evolved without sufficient internal security, and with no mechanism to prevent anyone who chose to look.
• Despite ignoring complaints from GPs and the GMC over years, after pressure from NHS Digital, DH and others, and an investigation by the National Data Guardian and ICO, TPP finally put in place measures to allow doctors to choose which organisations could see their patients’ records and enabling patients to see who has accessed their GP record.

Boots abusing SCR

High street pharmacy chains with increasingly predatory business models were given access to NHS patients’ Summary Care Records in 2015.

• The national scheme to give pharmacists access was approved based on “research” that gathered responses from just 15 patients, and persistent lobbying by pharmacists.
• Boots set targets and consistently applied pressure to staff in its stores to perform the maximum 400 Medicine Use Reviews (MURs) per year; the company makes £28 profit from each MUR, or £30 million per year.
• Despite research by the Pharmacists’ Defence Association and multiple hearings in front of the regulator, the General Pharmaceutical Council, Boots has received no sanctions.

NHS Apps Library

In 2015, researchers at Imperial College London and Ecole Polytechnique CNRS, France, revealed a number of serious flaws with health apps being promoted by the NHS, which had launched a pilot Health Apps Library in 2013.

• The research study, conducted in 2014, concluded there were “systematic gaps in compliance with data protection principles in accredited health apps”.
• medConfidential had independently raised concerns at the inclusion of over half of the 250+ apps on the site, citing breaches of the Library’s own criteria that apps be “safe, relevant to the UK, and compliant with the Data Protection Act”  for over 60 of the apps.
• Several of the worst offenders were removed immediately – including an app called ‘My Sex Doctor’ that targeted teenagers with sex advice, with a published business model: “Once gained their trust we can leverage it for commercial purposes” – and the whole Apps Library was closed in late 2015.
• The Library was quietly relaunched in 2017 but as recently as March 2018, two private online GP services apps by Babylon and Now Healthcare Group were dropped from the current ‘Beta’ version.

Pharmacy2U and marketing to patients

In early 2015, a wide-ranging investigation of dodgy data practices by the Daily Mail uncovered that the names and addresses of over 21,500 NHS patients, customers of the UK’s largest online pharmacy – part-owned by EMIS, the UK’s largest GP IT supplier – had been sold to marketers.

• medConfidential complained on behalf of patients who had contacted us to the ICO and the General Pharmaceutical Council.
• The ICO’s investigation, which resulted in a £130,000 fine, found that Pharmacy2U had unlawfully and unfairly sold patients’ personal data either directly, or through intermediaries, to scammers including:
  • Australian Lottery fraudsters targeting male pensioners who were more likely to have chronic health conditions, or cognitive impairments;a Jersey-based ‘healthcare supplement’ company which the Advertising Standards Authority ruled against for “misleading advertising” and “unauthorised health claims”;and a UK charity which used the details to solicit donations for people with learning disabilities.
• At a fitness hearing in May 2016, the General Pharmaceutical Council suspended Pharmacy2U’s commercial director for three months, and gave its chief operating officer a warning. Meanwhile, the BMA called for called for custodial sentences and EMIS (bottom of page 5) sold its holding in P2U for £1.5 million. A year later, in 2017, a CQC report found Pharmacy2U to be “unsafe, not well led and ineffective”.

HSCIC HES scandal

Having been assured on national media by the head of NHS England’s care.data programme that “no breaches” of Hospital Episode Statistics (HES) had occurred in 20 years, medConfidential investigated and discovered through Freedom of Information requests:

• For those years the Health and Social Care Information Centre (HSCIC) could tell us about, under its predecessor the NHS Information Centre (NHSIC), there were known serious breaches* of HES in 2009, 2010, 2011 and 2012.
• Published release registers from the period revealed NHSIC selling data to insurers; this turned out not to be unlawful, and led in part to amendments in the Care Act 2014 intended to prevent this in future. (Unfortunately, the “promotion of health” loophole remains for marketing.)
• The Partridge Review that followed revealed systemic failings at NHSIC, that continued under HSCIC. It also publicly uncovered for the first time the existence of the ‘National Back Office’ (NBO) that passed patients’ information to the police, Home Office and others. (It was the ‘formalisation’ of this practice that led to the heavily criticised DH / NHS Digital / HO MoU that was suspended in 2018.)
• It was the ongoing practice of HSCIC – renamed NHS Digital after these toxic revelations – that led to the Type-2 undertaking, which to this day and despite over 1.2 million patients exercising this opt-out,  NHS Digital refuses to honour for HES.
  * The documentation reveals at least one incident where even the legal basis for handling the identifiable patient data that was breached was unclear.

NHS England’s care.data programme, January 2014 – May 2016

In January 2014, NHS England launched care.data, an initiative to combine information extracted from patients’ GP records with information gathered from hospitals, care providers and social services to make a single centralised database for a range of purposes (‘secondary uses’) other than patients’ direct care – including commissioning, research and commercial reuse.

• The programme was mismanaged and miscommunicated; it provided inadequate protections for patients’ data rights, flew in the face of consent and confidentiality, leading to public outcry and conflicts with doctors, patients and Parliament.
• While ultimately no patients’ data was extracted from GP systems, because it impacted upon every patient in England, the care.data communications programme represents the NHS’ largest ever breach of fair processing.
• Paused first in February 2014, and then three further times, NHS England’s flagship programme was finally scrapped in the summer of 2016.
• The care.data debacle has been covered extensively in the media and elsewhere. Here are three peer-reviewed academic papers written about it:
• • Sterck S, Rakic V, Cockbain J & Borry P. “You hoped we would sleep walk into accepting the collection of our data”: controversies surrounding the UK care.data scheme and their wider relevance for biomedical research. Medicine, Health Care and Philosophy, June 2016, Volume 19, Issue 2.
  • Amor B, Vuik S, Callahan R, Darzi A, Yaliraki S N, Barahona M. Community detection and role identification in directed networks: understanding the Twitter network of the care.data debate. World Scientific Review. August 2015, Chapter 1.
  • Presser L, Hruskova M, Rowbottom H, Kancir J. Care.data and access to UK health records: patient privacy and public trust. Technology Science. August 11, 2015

HES uploaded to Google BigQuery

With the encouragement of NHS England, PA Consulting uploaded over 10 years’-worth of data from NHS patients’ hospital records to Google’s US-based cloud service, BigQuery.

• On learning of the incident, former GP and (now) Chair of the Commons Health Select Committee, Sarah Wollaston MP tweeted: “So HES [hospital episode statistics] data uploaded to ‘google’s immense army of servers’, who consented to that?”
• FIPR, medConfidential and Big Brother Watch submitted a formal complaint to the ICO regarding the uploading of HES to Google servers outside the EEA; on the basis that dated, linked, individual-level medical episodes were deemed ‘not personal data’, the ICO at the time decided no breach had occurred.

Unfortunately, illegal snooping by authorised users and blaggers is a persistent, long-term problem…

So many people have access to NHS IT systems, for so many different reasons, that it is virtually impossible to prevent inappropriate and unlawful access to patients’ records. Even when this is discovered, the actions taken vary widely. Examples include:

• As reported in May 2018, two members of NHS staff were disciplined – one was sacked, one was given a written warning – for reading Ed Sheeran’s medical records.
  • The information published in the news item about his accident would provide details more than sufficient to identify Mr Sheeran’s full medical history in HES: the date of event, the hospital attended, the nature of injury, and his home town (from which it is easy to find the truncated portion of the postcode used in HES).
• A former vascular data coordinator at the Royal Stoke University Hospital, who resigned while under investigation, was fined £1,000 for accessing 398 patient records between October 2014 and April 2016.
• When it came to light in 2011, the doctor who browsed the medical records of Prime Minister Gordon Brown, First Minister Alex Salmond and other high-profile Scots was never prosecuted.
• As the Leveson Inquiry went on to prove, while individual curious and/or maliciously motivated people will always go snooping, the editors of some national newspapers – at least one of whom is still subject to ongoing legal actions in May 2018 – took a more systematic approach.

The only way to be sure who has accessed your records is to check for yourself. This is why medConfidential encourages anyone who has concerns to get a Patient Online account, and use the online mechanisms now being made available by GP practices.