News

The NHS has shared hospital data with more than 40 companies

According to an article in the Financial Times, the NHS has shared a wealth of data with several companies. Any organisation can apply for access to NHS patient data, but while some use it for planning and research purposes (e.g. local governments, public bodies, and universities), the Financial Times has discovered that it was also shared with 43 commercial businesses.

Organisations who have received this data include the world’s largest management consultancy, pharmaceutical groups (including AstraZeneca) and data companies. The Financial Times claims that years of detailed medical records from UK hospitals has been shared.

The type of data passed to organisations includes:

  • hospital episode statistics (HES)
  • a database listing all hospitalised patients
  • diagnoses, treatments, and outpatient appointments
  • data about emergency care, mental health, mortality, cancer waiting time, sexual health, and childbirth services.

The world’s largest data breach

According to the report, sensitive patient data was also shared with marketing firm Experian. This is especially worrying as, in October 2020, the ICO ordered Experian to change the way it handles personal data in direct marketing services. The command followed a two-year investigation by the ICO into how Experian, Equifax and TransUnion use personal data for marketing purposes.

The ICO’s investigation discovered that Experian, Equifax and TransUnion were found “trading, enriching and enhancing people’s personal data without their knowledge”. This is a breach of data protection law.

The ICO also said that “the data of almost every adult in the UK was, in some way, screened, traded, profiled, enriched, or enhanced to provide direct marketing services.[1]” So this could be the most significant data protection violation in history.

Find out more about this breach

Further pans to pool NHS data

Government plans to pool and share the NHS data of 55 million patients have recently raised concerns. Not least because, rather than opting into the scheme, people in England have until September 1 to opt-out. And, if they do not, it will not be possible to remove their information from the new database. 

The General Practice Data for Planning and Research (GPDPR) – not to be confused with the GDPR – aims to advance the understanding of medical issues. However, with a wealth of data on physical, mental, and sexual health, sex, ethnicity and sexual orientation, critics of the scheme have described it as a data grab.

The recent revelations by the Financial Times raise further concerns about what happens to our patient data and a general lack of transparency about how it is already being used and shared.


CONTACT US TO START A DATA BREACH CLAIM.

Keller Postman

Share
Published by
Keller Postman
3 years ago

Recent Posts

Latest Data Breach Round-Up – June 2024

In our regular update, we provide a roundup of some of the data breaches and… Read More

5 months ago

Join our MOVEit/ Zellis Data Breach Action

We have launched a group action against MOVEit/Zellis. Group actions can be a powerful tool… Read More

5 months ago

One year on – the extent of the MOVEit data hack is just becoming clear

The number of organisations affected by the MoveIt Data Breach is still rising, despite the… Read More

5 months ago

Join our 23andMe Data Breach Action

We have launched a group action against 23andMe. Group actions can be a powerful tool… Read More

5 months ago

ICO and Canadian counterpart to investigate 23andMe data breach

The Information Commissioner’s Office (ICO) has launched a joint investigation into the 23andMe data breach… Read More

5 months ago

Join Our Capita Data Breach Action

We have launched a group action against Capita. Group actions can be a powerful tool… Read More

5 months ago