Jump to content

British government under fire for alleged breach of millions of patient medical records


Recommended Posts


According to explosive allegations from prominent Tory MP Sarah Wollaston, the consulting firm PA Consulting may have conducted one of the largest and most serious data breaches in history by uploading 27 DVDs worth of patient medical records into Google BigQuery. Google BigQuery is a cloud-based Big Data analysis suite that’s designed to quickly parse huge data sets in seconds to return useful information.

The allegations against PA Consulting are particularly damning at the moment. A month ago, the UK announced that the NHS (National Health Service) would begin selling data to health insurance companies and pharmaceutical manufacturers. This provoked a firestorm of controversy that hasn’t been assauged by promises to anonymize the data. So-called “anonymizing” techniques have proven pitifully easy to break in most cases. Studies have shown that 87% of Americans can be uniquely identified using just three pieces of data — birth date, gender, and zip code. The British scheme provoked further protests by being opt-out rather than opt-in.

The leak.

The Guardian, quoting Wollastan, states that PA Consulting uploaded the “entire start-to-finish HES [hospital episode statistics] dataset across all three areas of collection – inpatient, outpatient and A&E.” It further testifies that the data set was the size of 27 DVDs, took weeks to upload, and quotes unnamed management consultants as saying: “Within two weeks of starting to use the Google tools we were able to produce interactive maps directly from HES queries in seconds.”

The problem with PA Consulting is that the company handwaves its security concerns at every step. It blithely promises that it bought this data from the NHS but took “certain security restrictions.” It states: “As PA has an existing relationship with Google, we pursued this route (with appropriate approval). This shows that it is possible to get even sensitive data in the cloud and apply proper safeguards.”


PA Consulting’s ad copy.

Literally the only proof provided in PA Consulting’s documentation that the safeguards are appropriate or thorough is the use of the word “appropriate.”

In the wake of the story, PA Consulting has testified that it purchased the Health and Social Care Information Center (HSCIC) through appropriate channels, that the data is secured appropriately, and that the information was safeguarded according to government standards. The HSCIC has released its own statement confirming this to be the case. Unfortunately, the HSCIC has previously acknowledged that its own recommended “best practices” for anonymizing data may not be up to the job.

It’s not clear if this is the end of the story; some sources have hinted that there are far worse announcements to come. From the shape of things at the moment, PA Consulting may not have broken the law. But the sober takeaway here is that the collaboration between governments and corporations when it comes to grinding your personal data into sellable chunks has nothing to do with serving you, the original owner of said information.

If the goal was to balance the genuine privacy concerns of the individual against better insight into medical costs or drug treatments, the government would have created a new set of ironclad anonymizing practices, while the consultant group would have bothered to explain its precautions when handling this information. Instead, we’re told that we should trust PA Consulting’s relationship with Google, as if Google had been chosen to host this information through an open bidding process and in direct partnership with the NHS itself.

Google’s BigQuery is not the problem. The problem is that these partnerships and cooperative efforts have been negotiated like backroom deals. Of course, it’s hard for the United States to throw stones on that particular topic — our HIPAA (Health Insurance Portability and Accountability Act) laws may be slightly tighter, but the NSA’s obsessive wiretapping and spying have destroyed any claims we might once have made about our respect for citizen privacy.

The most damning thing about this story is that, if the current explanations hold, there may be nothing anyone in the UK can do about it.


Link to comment
Share on other sites

  • Views 647
  • Created
  • Last Reply

Top Posters In This Topic

  • Reefa


Popular Days

Top Posters In This Topic

Popular Days

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...