An English firm working with the National Health Service (NHS) as a “third-party consultant” has caused serious “privacy and security” concerns by uploading “sensitive patient data” to Google servers, according to a recent article published by The Web Hosting Industry Review. The article confirmed that PA Consulting uploaded “patient information from its HES (hospital episode statistics) data, including addresses and hospital records” to BigQuery – Google’s analytics tool. This action raises serious concerns since this tool “resides on servers outside of the EU and could be a serious breach“, according to the report.
According to the article, the NHS was “aware that the data was being uploaded to Google BigQuery” but states further that “Google employees were restricted from accessing the information.” The article states that PA Consulting confirmed that the analytics tool “was able to produce interactive maps directly from HES queries” within a two week time frame. Generating these “queries” would not have been possible without accessing “patient location information“, but the firm confirmed that the “entire start-to-finish HES dataset across three areas of collection” including “inpatient, outpatient and A&E” was “secured“, according to the article.
The article confirms that according to NHS, “the type of information shared, and how it is shared, is controlled by law and strict confidentiality rules.” A statement on the HSCIC website was quoted in the article to say, “HES information is stored as a large collection of separate records – one for each period of care – in a secure data warehouse. We apply a strict statistical disclosure control in accordance with the HES protocol, to all published HES data.”