back to article NHS slammed for MAJOR data blunders as scale of patient info sell-off is revealed

The NHS struck four "data-sharing" deals with three re-insurance companies that allowed them access to patient information under agreements that don't expire until 2015 and 2016. That's among the shocking findings of a review of data released by the NHS Information Centre - the predecessor to the Health and Social Care …


This topic is closed for new posts.
  1. nematoad

    I bet

    ... and added that he wanted to "draw a line under the past"

    I bet he does.

    "Nothing to see here, move along."

    Then when no-one is looking, bam,

    "Psst.. want some nice juicy patient data, going cheap!"

    The NHS run by accountants, who'd a thunk it?

    1. Anonymous Coward
      Anonymous Coward

      Re: I bet

      I quite agree. draw a line under the past usually means "that was a collossal embarrassment, and I'd really rather not talk about it any more."

      1. Anonymous Coward
        Anonymous Coward

        Re: I bet

        > I quite agree. draw a line under the past usually means...

        "I've done something which I know is illegal and I'd rather you didn't look any more closely otherwise someone might suggest that I be prosecuted."

    2. Salts

      Re: I bet


      Yes, that really jumps out from the article, the answer to this now should only be, not now, not next year, not ever, can private medical data be shared outside the NHS. The government, NHS and other organisations involved have proven beyond doubt they cannot be trusted.

      The great shame of this, is that done properly there was a great deal of good that could have come from it, however all involved have proven that the bad far outweighs the good.

      1. HollyHopDrive

        Re: I bet

        Three things should come out of this (in no real order)

        1. Sackings at the top and lots of them (including the government)

        2. Criminal proceedings for such negligence

        3. A law stopping patient data being sold or supplied to private companies EVER.

        This is serious stuff. And you know insurance companies would love to only insure people who will never claim. This data is too valuable to let loose without responsible ownership and somewhere for the buck to stop with.

    3. Tom 7

      Re: I bet

      Toxic accountants.

  2. Trollslayer

    This is why I opt out every time.

    1. Tom 35

      opt out

      I bet that was the first data they lost.

  3. Anonymous IV


    How often is this word ideal for describing IT or data security as 'practised' by government or NHS.

    All hail to Tony Roche and The Thick of It.

  4. sad_loser

    HSCIC = CfH

    Never forget that that HSCIC is just CfH rebranded, but full of pretty much the same bunch of cock-up magnets as before.

    The same bunch of 'have a go heroes' that pissed £ 20bn of our money by being willingly bum-raped by every IT consultancy and major IT supplier that ever drew breath.

    Yes they have sacked the most incompetent, and there are now a some people around who know what they are doing, and the lower rungs have always been decent people but the case for dropping a nuclear device on Leeds is still overwhelming.

    COI : I deal with CfH and now HSCIC on a regular basis.

  5. Fihart

    So that's where they got my address.

    Wondered why I occasionally get invites to health checks by (doubtless expensive) private medical providers who obviously have access to my full name and address. By the look of the services mentioned also know my age.

  6. Anonymous Coward
    Anonymous Coward

    This is terrifying...

    Such data power in the hands of those that can't be trusted....

    Just wait till the Five-Eyes get their greasy paws on this too!

  7. asdf


    I thought for sure some Yank would have used this as another reason to rail on Obamacare (see look new world order socialism is all the same, etc). Sure its coming now lol.

  8. Anonymous Coward
    Anonymous Coward looks even nore prescient after that!

  9. Mitoo Bobsworth
    Big Brother


    I wouldn't be surprised if the borked & bodged nature of this entire scheme was intentionally compromised at various levels for corporate & bureaucratic gain - not that I'm suspicious or anything, but - ok, I am.

    "The only problem with authority is authority is the problem."

  10. Will Godfrey Silver badge

    Nobody will take the rap

    That's my prediction. It will all be swept under the carpet just like all the other IT fiascos gubbermint has been involved in ever since there was IT.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nobody will take the rap

      It won't be swept under the carpet. It already has been.

    2. dan1980

      Re: Nobody will take the rap

      @Will Godfrey

      No, no, no - you don't understand. They won't "sweep it under the carpet", they'll "draw a line under it".

      At first I was being facetious but then I realised that it is, actually, different. Sweeping it under the carpet is pretending it didn't happen; what they will do is acknowledge that there were problems (already done - no choice about it) but then "look forward". I.e. do nothing.

      1. Anonymous Coward

        Re: Nobody will take the rap

        How depressingly honest...

        "Hello? I'd like to order an escape clause!"

      2. Michael Dunn

        Re: Nobody will take the rap @dan1980

        And don't forget the "Lessons have been learnt" mantra

  11. Anonymous Coward


    so if I give hsick my NHS number, they'll be able to tell me which bits of my health data have been pimped to whom?

    as icon

    1. qwertyuiop

      Re: auditing

      It could be fun to organise a campaign to hit them with Subject Access Requests from a vast number of people....

  12. Evan Essence

    Technical solution

    That the HSCIC actively pursues a technical solution to allow access to data, without the need to release data out of the HSCIC to external organisations.

    This. It should be right up at the top of the list of recommendations. Do this, and the other recommendations become less vital, or even irrelevant.

    All "clearly identifiable", "anonymised" or "pseudonymised" data should be held strictly on HSCIC premises and equipment, and only processed at arm's length, with incoming queries and outgoing reports strictly vetted by the HSCIC.

    All truly aggregate data can be openly published, in accordance with the government's welcome commitment to open data.

    There's a prevailing tacit assumption held by many bureaucrats and politicians, which should be challenged, that the only way to handle data is to pass it around on USB sticks, or DVD discs, or something, and process it with Excel. It's this kind of ignorance that leads to unencrypted laptops full of sensitive data being left on trains.

    1. Warm Braw

      Re: Technical solution

      No meaningful health information can be truly anonymised - there's no such thing as an "average" patient, everyone's individual response to disease and treatment is different and that's the reason for collecting data from such large cohorts.

      There's clearly a potential benefit from collecting and analysing all this data, the question is to whom is the benefit greatest. Even if HSCIC analysed data under contract, it's quite likely that the only people who'd pay for the service would be drug companies who could see the potential for long-term medication of the chronically ill.

      I don't really believe HSCIC have a genuine medical agenda because I don't think we have any consensus on what type of outcome we want to achieve from this data. I think they have a purely financial agenda - they have this stuff and people will be prepared to pay for it. Under those circumstances, we don't need a technical solution, we simply need them to stop doing it.

      1. Evan Essence

        Re: Technical solution

        I think they have a purely financial agenda

        That's not true. From

        The HSCIC is publicly funded and we therefore operate on a cost recovery basis. We do not charge for data itself but do apply charges to cover the costs of processing and delivering our service.
        Check out the charges. They're not going to make a profit on this.

        1. Ian 35

          They thought volume was a risk, however

          "They're not going to make a profit on this."

          So why was insufficient demand for their services listed as a risk in their risk register? Any cost recovery scheme is going to be based on a particular volume, so that they can amortise fixed costs over the variable demand. If the demand drops to zero, the fixed costs don't get paid. If the demand goes above your planning assumptions, the fixed costs are paid and you can (subject to any costs that are fixed up to a point and then have a marginal component) book the extra as profit.

  13. hoola Silver badge

    What About The Data That Has Been Flogged?

    The real whammy with this is all the data that has been sold, resold & left around. You can never get it back and as they do not even appear to know who it was sold to, they cannot go in with enforcment orders to get it deleted (Ha Ha).

    In the digital age, once electronic information is released that is it, there is never any going back. Maybe some draconian fines and deletion enforcments so that the parasitic companies that have bought the data are forced to delete all copies including their backups and the numpties that sold it in the first place are jailed.

    Unfortunately that will never happen as the merry-go-round of directors in and out of public bodies and the cosy private consulting outfits and industry will always continue.

  14. Infernoz Bronze badge

    Government can't even mind its own business let alone yours

    I opted out because this was so predictable.

    Yes, I know all that universal care stuff, but anything governments does which is not pure administration and law ends up rotting on the branch or poisoning the well, because they don't understand how to run stuff which should be run by business, and I don't mean the FU of medical insurance. I'm not having a go at doctors, nurses, etc. just the socialist disorganisation. The worst absurdity is trying to run any closed system with no creative destruction as a market, it just doesn't work, and leads to colossal waste and disorganisation.

    You have to make it peoples _business_ to get this stuff right and to suffer personal consequences when it fails, otherwise they get complacent, or worse become socialist do gooders (do bad)!

  15. Anonymous Coward
    Anonymous Coward

    A solution

    The staff handling this kind of data have proved time and again that they are oblivious to its value to either "legitimate" users or to fraudsters. The solution is that every member of staff in a department from which personal data is compromised must have their own corresponding data made public. Once they discover the pain of preventing that leading to personal identity theft (or the reality of it actually happening), they may begin to appreciate what they are wilfully doing to the rest of us.

    In this instance they might find that, because their medical data is in the public domain they can't get medical or life insurance. Having read of their sexual health history issues and psychiatric health episodes, friends, family and colleagues attitudes toward them change.

    The value to identity theives of the "lost in the post" CD of Child benefits records in 2007 ( was estimated at £1.5bn. In that instance Revenue and Customs chairman Paul Gray resigned - but only from that role, he kept his job as a senior civil servant on £200k+ salary.

This topic is closed for new posts.

Other stories you might like