NHS to Share Patient Data with Third Parties, Fueling Privacy and Security Fears

NHS patient data in England will be shared with third parties for research and planning purposes, fueling concerns about privacy and security, it has been reported today.

The Financial Times revealed that NHS Digital, which runs the health service’s IT systems, will create a database containing the medical records of around 55 million patients in England who are registered with a GP clinic. This includes sensitive data on mental and sexual health, criminal records and abuse.

This information will subsequently be made available to academic and commercial third parties involved in research and planning, although no details on the types of organizations that will have access have been provided.

The initiative follows suggestions that the UK’s response to the COVID-19 pandemic was hampered by lack of data sharing and access, including in a report published this year by the House of Commons Science and Technology Committee.

Patients will need to fill in a form and take it to their GP to opt out of the scheme by June 23, otherwise their historical records will become a permanent and irreversible part of the new data set. Any patients who opt out after this date will prevent any future data becoming part of the new system.

The idea for a database of this kind was first set out by UK Health Secretary Matt Hancock in April, and explained in blogs on the NHS website. This emphasized that patients will not be directly identified in the data set.

The plans have received significant criticism from privacy campaigners. The Financial Times cited a letter from Foxglove, a campaign group for digital rights, to the Department of Health and Social Care, questioning the legality of the proposals under current data protection legislation. Rosa Curling, a solicitor at the organization who penned the letter, wrote that “very few members of the public will be aware that the new processing is imminent, directly affecting their personal medical data.”

Cybersecurity experts have also warned that the database will be a tempting target for cyber-criminals. George Papamargaritis, MSS director at Obrela Security Industries, commented: “It is not surprising that the NHS is facing backlash in response to this move. Sharing medical data with third parties is very risky as there is no way to be sure they will have the proper security tools in place to keep the data safe. While it looks like the NHS has plans to anonymize patient data, this is not a 100% guarantee of security protection.”

David Sygula, senior cybersecurity analyst at CybelAngel, said: “This move from the NHS provides some strong benefits from an academic research standpoint. An initiative like this could have been useful in better controlling the magnitude of the pandemic, and all research work that goes with it. 

“However, data collection on this scale is creating a new set of risks for individuals, where their Personal Health Information (PHI) is exposed to third-party data breaches. The extent of the unsecured database problem is growing. It's not simply an NHS issue, but the NHS' third, fourth or further removed parties too, and how they will ensure the data is securely handled by all suppliers involved. These security policies and processes absolutely need to be planned well in advance and details shared with both third parties and individuals. 

“Several mechanisms must be put in place, starting with the anonymization of data, as data leaks will inevitably happen. Security researchers, attackers, and rogue states have all put in place processes to identify unsecured databases and will rapidly find leaked information. That's the default assumption we should start with. It's about making sure patients are not personally exposed in case of a breach, while setting up the appropriate monitoring tools to look for exposed data among the supply chain.”

NHS England previously tried to store all GP patient information in a central database back in 2013 in a project called Care.data, which was subsequently abandoned in 2016 due to privacy concerns.

What’s Hot on Infosecurity Magazine?