LONDON – The process considered by many to be the “stealth” privatization of the United Kingdom's National Health Service (NHS) took another significant turn with the recent mass leak of patient information.

Patient details were shared with organizations including private health insurance companies, many based in the United States. Last month's information leak came in the wake of rapid slashing of NHS services such as Accident and Emergency departments and cancer treatment.

The so-called health reforms have set what many see as a precedent for the eventual handover of the nation's public healthcare system to private companies, in the style of the U.S. – despite Prime Minister David Cameron's insistence that this will not occur.

The latest data share leak is only one of a growing number of incidents that have wracked the NHS. It was revealed following an audit conducted by the Health and Social Care Information Centre, the NHS body charged with protecting patient data. The audit showed widespread confidentiality lapses over a period of eight years under the HSCIC's predecessor organization, the NHS Information Centre.

Commissioned after Members of Parliament expressed concerns about the HSCIC's privacy policy during a health select committee meeting in February, the audit found that 3,059 data releases occurred between 2005 and 2013. The “anonymized” records were passed on to a collection of insurance companies and featured information such as NHS numbers, hospital admission dates, partial postcodes, diagnoses and mortality dates.

Ten percent of these records were examined in detail, revealing a trail of “improper” record-keeping, “lack of evidence to support” processes and controls, unclear contractual agreements, ambiguous guidelines on legitimate use of data, and no audited deletion of data, according to the audit.

Sir Nick Partridge, the HSCIC non-executive director who led the audit, says: "The HSCIC must learn lessons from the loosely recorded processes of [the NHS Information Centre]. The public simply will not tolerate vagueness about medical records that may be intensely private to them. We exist to guard their data and we have to earn their trust by demonstrating [the] scrupulous care with which we handle their personal information.”

Andy Williams, HSCIC's chief executive, concurs: "The valuable work that the HSCIC does for the health and social care systems needs the endorsement of the public if it is to be effective. We want people to be certain their choices will be followed, clinicians to feel supported in their roles and data users to know where they are with us."

Where to Go From Here?

Officials said a new program will be designed to prevent such confidentiality lapses from occurring, with future promises that “all data agreements will be re-issued, to ensure activity is centrally logged, monitored and audited." Patient and public representatives will form part of the HSCIC's “data oversight committee,” and “data sharing agreements” will be published quarterly as part of a “program of active communication” between the HSCIC and patients. There will also be random checks on organizations in receipt of data, and a “new, strengthened audit process.”

UK privacy campaign groups have expressed deep concern over the report. “It’s bad enough that millions of NHS patient records have been sold on to commercial companies, but now we know how shockingly lax the ‘guardians’ of our medical data have been,” said Phil Booth, coordinator of MedConfidential.

“Not knowing where patients’ data was sent is frankly unforgivable. What’s even more staggering is that for over a year ministers and officials have been pushing a scheme that would have hoovered up even more information from patients’ GP records for it to be sold and passed on," added Booth.

"Did they not know how much of a mess the Information Centre was in, or didn’t they care? Every single one of Sir Nick Partridge’s recommendations must be implemented. In future patients must be given full information about who will have their information and for what purposes – and patients’ right to choose not to have their data sold on or used for things [other] than for their direct care must be respected.”

Pam Cowburn, the communications director for Open Rights Group, stressed that the NHS leaks were symptomatic of a much wider problem concerning a range of personal information. “It’s not just health data that the Government wants to share or sell,” she explained.

“In April, it was revealed that HMRC planned to sell access to tax data. Over 300,000 people signed petitions by Open Rights Group, 38 Degrees and SumofUs calling for these plans to be stopped. When it comes to our personal data, we have a right to know how it will be used and who will be able to access it, and we should be given the option to withdraw our consent if we don’t want our data to be shared.”

Cowburn added, “It’s often claimed that data is anonymous and can’t be re-identified, but we know that is impossible to guarantee."

Emma Carr, acting director at Big Brother Watch, said that “patients will undoubtedly be concerned about the litany of failures demonstrated in the review. What this shows is that without continuous oversight over who has access to our medical data, and an understanding of what they are doing with it, the system will not be fully trusted."

"If the government and NHS England want to continue to reassure the public that companies won’t be able to exploit their medical data for profit, then HSCIC must closely adhere to the Partridge review's recommendations," she concluded.

The reinsurer Milliman received two years’ worth of data – including NHS number, gender, age on admission to hospital, partial postcode, dates of hospital admission, diagnosis, speciality, and treatment. However, a spokesperson for the company said that "‎Milliman has not published any research yet based on the data and, in response to the recent scrutiny, will not do so going forward without explicit NHS permission. Milliman is not using the data for any kind of underwriting, nor will we be."

"Milliman has been mischaracterised as an insurance company in press coverage of this situation. We are a consulting company," the spokesman continued. “The NHS request to delete the data has been mischaracterized as a 'demand.' We have been in touch with NHS about this and they agree there was no such demand.”

data-leak-breach-ico.jpg