Sensitive patient data in England has been uploaded to Google servers by a third-party consultant, causing serious concern around privacy and security, according to a report by The Guardian on Monday.
Patient information from its HES (hospital episode statistics) data, including addresses and hospital records, was uploaded to Google’s BigQuery analytics tool, which resides on servers outside of the EU and could be a serious breach, according to a report by Engadget.
PA Consulting worked with the National Health Service (NHS) of England to obtain the data as part of a project intended to show the NHS “how insight can be quickly and cost-effectively generated from large volumes of health data, enabling better care for patients.”
THe NHS Information Center was aware that the data was being uploaded to Google BigQuery, although Google employees were restricted from accessing the information, Engadget said.
The consulting firm said that within two weeks of using Google’s analytics tool it was able to produce interactive maps directly from HES queries, which couldn’t have been possible without patient location information.
The firm also said that it secured the “entire start-to-finish HES dataset across three areas of collection – inpatient, outpatient and A&E,” The Guardian reports.
According to NHS England, “the type of information shared, and how it is shared, is controlled by law and strict confidentiality rules.” There is a full Q&A of the privacy of patient records and opt-out options available to patients on its website.
Last month, the Health and Social Care Information Center released a new initiative around collecting patient data to create a UK national database that will help it “understand the health needs of everyone and the quality of the treatment and care being provided.” It is also used by researchers to support studies on diseases and treatments.
“HES information is stored as a large collection of separate records – one for each period of care – in a secure data warehouse,” according to the HSCIC website. “We apply a strict statistical disclosure control in accordance with the HES protocol, to all published HES data.”