Apparently a consulting company called PA Consulting who has been doing work for the NHS (National Health Service) in England has taken it upon themselves to take the entire patient check in statistics and upload them to Google in order to make it easier to create reports for the NHS.
The amount of data which they uploaded is massive, taking 27 DVDs worth of data (you can typically fit more than one encyclopedia set on one DVD) so you can imagine just how much information that would be if it was printed. To make all this even worse the servers which make up the Google service which this data was uploaded to aren’t in Europe, instead being in the United States which is another problem as the European Union (EU) has specific laws about sending the data about people who live in Europe outside of Europe.
The kinds of data which was uploaded include the patients NHS number, their address, post code (zip code), date of birth, gender, what doctor they saw, as well as their inpatient, outpatient and emergency records.
And all of this was done without any sort of notice to the patients or a way to opt out of having your data uploaded to Google. This is just another example of people (the ones who work for PA Consulting in this case) trying to get their job done but in doing so creating a massive problem for hundreds of thousands of people (or more depending on how many people’s data was included).
According to the article the information uploaded was the “entire start-to-finish HES dataset across all three areas of collection – inpatient, outpatient and A&E”, so basically everything that the NHS has ever collected.
The number of law suits which will be started up and the number of government inquiries will be amazing to watch as PA Consulting attempts to defend themselves from this mess which they’ve just created.
This sort of data breach is the worst kind for consumers because there isn’t any way to protect yourself from this as it was totally out of the hands of the consumers as to what happened and who had access to the data.
This is one of those cases where the best we can do is complain to the people in charge (in this case your local MP) to work to get the data removed from Google’s cloud servers and ensure that something like this never happens again.