
NHS England patient data 'uploaded to Google servers', Tory MP says - choult
http://www.theguardian.com/society/2014/mar/03/nhs-england-patient-data-google-servers
======
swombat
Surely PA Consulting should immediately be sued out of existence. This kind of
behaviour must be considered beyond negligent, practically criminal.

I would strongly support throwing anyone involved in this into jail for a long
time as a deterrent against future criminals.

This is just unbelievable.

~~~
ataggart
Taking a sentient human being and throwing them in a cage is a profoundly
violent act. I find it troubling that you guys so casually reach for it as a
punitive tool, particularly when the subject has neither committed physical
violence nor poses such a threat to others. Surely you clever people can think
of forms of punishment/deterrence less destructive to both the individual and
society as a whole.

~~~
Silhouette
_Taking a sentient human being and throwing them in a cage is a profoundly
violent act. I find it troubling that you guys so casually reach for it as a
punitive tool_

We aren't reaching for it casually. Some of us consider privacy a fundamental
value that must be defended, and regard an attack on our privacy with the same
seriousness that we would regard an attack on our physical person.

Which is more of a danger to me, someone who punches me in the face on their
drunk night out and gives me a bloody lip and a bit of pain for a few hours,
or someone who betrays confidences that may have lifelong implications for my
employability, insurance premiums and credit levels, ability to travel freely,
and for that matter my self-respect and basic human dignity, before you even
get to the kinds of more extreme and very physical dangers that could be posed
by invasions of privacy if we consider the lessons of history?

~~~
ataggart
>Some of us consider privacy a fundamental value that must be defended

The _severity_ of a punishment can be tuned separately from the _form_ of
punishment. Imprisonment is not appropriate merely by dint of your emotional
reaction to the crime itself.

>Which is more of a danger to me...

Sufficient to warrant throwing them in a cage, being brutalized by actually
violent criminals, imposing a direct cost burden on society, and also
indirectly by depriving society of that individual's productivity?

Probably neither.

~~~
pasbesoin
Financial penalties have a long record of poor influence toward desired, legal
behaviour. Further, they tend to simply be, sooner or later, passed on to the
customers or clients who in many cases are the original wronged. Those
individuals actually responsible for the sanctioned behaviour are not or only
weakly punished and perhaps influenced against its repetition.

As an individual, one could well go to prison for such misbehaviour. Corporate
and government employment should not serve as an impenetrable shield and
dilution of responsibility against such eventuality.

Incarceration is often described as having two goals: Punishment for crimes
committed, and mitigation against such crimes. For the latter, both by actual
restraint and by aversion to the potential results.

It seems that stronger aversion is needed; we have a systemic problem with
recurrence -- often by the same parties -- of this behaviour.

------
pja
It's worse than that: Ben Goldacre is reporting (
[https://twitter.com/bengoldacre/status/440475049880195073](https://twitter.com/bengoldacre/status/440475049880195073)
) that the data was made publicly available.

This is beyond parody.

~~~
chillax
another update:

"No individuals directly named records online. But a massive breach of the
most basic information security policies to prevent jigsaw."

[https://twitter.com/bengoldacre/status/440488463008550912](https://twitter.com/bengoldacre/status/440488463008550912)

~~~
flurpitude
We're going to need something longer than a tweet to explain what he's
actually talking about.

~~~
sentenza
I'd also assume the worst, even if there are no patient names out. There are
too many examples of de-anonymization of purposefully anonymized data out
there to warrant any belief that missing real world names alone should
constitute much of a privacy blanket.

~~~
vidarh
The dataset in question supposedly contains date of birth, gender and post
code. For my family, that uniquely identifies every member, given the size of
UK post codes.

~~~
Silhouette
If that means full postcodes, then that information will easily be sufficient
to identify every member of the UK population, aside from outliers like twins
or the occasional statistical fluke.

------
crb
This is the data in question:
[http://www.hscic.gov.uk/hes](http://www.hscic.gov.uk/hes)

It is anonymised [1], publicly licensable data.

Here are a list of users and uses. [2]

[1] "We apply a strict statistical disclosure control in accordance with the
HES protocol, to all published HES data. This suppresses small numbers to stop
people identifying themselves and others, to ensure that patient
confidentiality is maintained."

[2] [http://www.hscic.gov.uk/media/10495/Users-and-uses-of-
HES/pd...](http://www.hscic.gov.uk/media/10495/Users-and-uses-of-
HES/pdf/HES_Users_and_Uses.pdf)

~~~
SideburnsOfDoom
> It is anonymised

Not meaningfully, no. A UK postcode covers 20 households or less. If you have
that plus gender and date of birth (as seems to be the case here), you almost
always have a unique individual.

~~~
lotsofmangos
NHS number, date of birth, postcode, ethnicity and gender.

Is about as anonymous as wearing a different hat.

~~~
dhoulb
NHS number is clearly ridiculous.

But, I can see why all the other data are statistically relevant in analysis.

Postcode, so you can track viral outbreak etc with a fair degree of locational
accuracy.

Date of birth, so you could analyse if people born in certain seasons had
higher incidences of various diseases. (You could probably drop the day and
just have month, but there could be cases where there were more hospital
deaths for babies born on a Monday, etc).

Gender and ethnicity are obvious.

~~~
andygates
A hash of the NHS number would give a UID without compromising the person's
details. Providing a UID that is one-way linked would allow HSCIC to go to the
actual data if a care situation warranted it.

I'd argue that the first half of the postcode and month of birth are ample for
outside-HSCIC use. Monday-deaths is the kind of thing that's done internally
anyway.

------
revelation
I trust Google more than I do "PA Consulting". Which begs the question, how
did we get here? Who in their right mind sends out 27 DVDs with probably
unencrypted, highly sensitive medical data? Even if the recipient is
trustworthy, _the transport_ isn't.

This data needs to be on a locked away government server that answers queries
by 3rd party by throwing away half of the data and randomizing the remainder.

~~~
fixermark
Basically. An alternative headline for this story could be "Contractor moves
sensitive data from insecure, non-audited medium to secure, audited medium."

~~~
skrebbel
That would be "Contractor moves sensitive data from insecure, non-audited
medium to secure, audited medium monitored by a foreign spy agency"

~~~
fixermark
Correct. I disregarded the nationality issue in assuming that GCHQ having
"NHS, please pass me your data because terrorists" access to the health
records is equivalent to the NSA having "[GAG ORDER] Google, a secret court
has ordered you..." access to the health records, given how closely those
agencies seem to be working together based on the Snowden disclosures.

Others may place differing weights and values on their cloak-and-dagger outfit
of choice. ;)

------
morgante
I don't understand why the data being on "Google servers" is generating such
outrage. Google almost certainly has superior security to this "PA Consulting"
or even the government itself.

~~~
easyfrag
I don't think Americans get how distrustful other nations are of American-
based cloud providers. It is not a matter of Google's or any other providers'
behaviour but of the US Government (warrant-less searches and the like). This
lack of trust predates the current NSA-Snowden affair and goes back to the
Patriot Act (IMHO).

Of course I can't speak for all nations or industries (or even companies) but
in my part of the Canadian Health care sector it is simply unthinkable to use
a US-based cloud provider for anything to do with patient data.

~~~
fixermark
As an American, I'll be a little surprised if that mistrust runs deeply in
Britain, given how closely the Snowden disclosures revealed GCHQ and the NSA
to be working. If the NSA had a vested interest in getting health records on a
British citizen, I doubt it'd be difficult to get the British government to
send them over. You know, to fight terrorism.

Of course, people aren't strictly rational actors, so I suppose one could hold
the cognitive dissonance that one's private data is safer from the NSA
physically stored in Europe than it is in the US.

~~~
Silhouette
_As an American, I 'll be a little surprised if that mistrust runs deeply in
Britain_

Why? I don't approve of the NSA behaviour, and I don't approve of the GCHQ
behaviour in conducting mass surveillance either. The fact that the latter is
theoretically done by my government for my country's benefit doesn't make me
think any better of the spy agencies or those in government whose laws and tax
money allow it.

I would rather take my chances with the terrorists than put up with all the
nonsense done in the name of fighting them today. Not only do I think that as
a practical matter the nonsense is far more likely to harm me or those I care
about, and not only do I strongly disapprove of all the time, money, media
attention and other resources I consider wasted on most so-called anti-terror
measures when much more deserving causes could have used those resources
better, I also think the current culture of rampant paranoia and fear-
mongering is _helping the terrorists to win anyway_.

------
timthorn
The report in question (linked in the article) provides "exceptional" evidence
for the performance of Cloud technology by comparing a Google BigQuery search
against an on-premises SQL Server query.

So, cloud is good because map-reduce performs better than relational
databases...

~~~
collyw
This sounds all too like the project I am collaborating on. It will be
moderately big data (a few terabytes at most). The guys developing it just now
are on their third NoSQL database - Elasticsearch.

Them: "Look at how fast it is"

Me: "You only have 3GB of data in it"

Them: "Its so fast to develop, just connect Angular straight to Elasticsearch"

Me: "Absolutely no concern given to security"

Them: "The previous project used an SQL database and ended up having so many
table"

Me: "So it was probably properly designed"

~~~
thirsteh
Ahh, hipsters.

~~~
collyw
Actually I didn't make the comment about the database being properly designed.
I was at a loss as to what to say when that was the complaint.

------
k-mcgrady
Why does the government repeatedly hire incompetent people?? They pay crazy
amounts of money for it too.

I hope there is a very public investigation into this. We are losing privacy
every day now and this is one area of our lives that needs to remain private
at all costs. There is very little I can see to gain and lots to lose from
losing privacy in health. Especially in a public system like the NHS.

~~~
bananas
Because they're all part of the old boys network. No other reason.

~~~
collyw
Sad but seems to be true.

------
nly
Good. Imo, the fearmongering here is actually quite irrational. Google have
more credibility (and money) to lose from a high publicity hack than
government contractors _who already act with impunity_. If they'd invested in
their own own map-reduce deployment we'd only be hearing another story about
government contractors wasted millions of £ in taxpayers money on Big Brother
data analysis.

> The extracted information will contain a person's NHS number, date of birth,
> postcode, ethnicity and gender.

Big woop? Your NHS# isn't used outside of the NHS or for anything of concern
to most people, and your postcode (and address) is held on the unedited
electoral roll by hundreds of organisations. Most people don't even opt-out of
the edited register accessible for a small fee on 192.com

Why aren't us Brits worried about our credit histories and county court
judgements being recorded and held by Equifax, an American company?

What specifically are people actually afraid of with regard to this data set
sitting on Googles servers? I just don't get the regular public outcry about
NHS data.

~~~
icebraining
But it was a government contractor who uploaded and queried the data (PA),
they just used Google's platform.

Frankly, this seems as related to Google as Nokia would be if someone used one
of their cellphones to detonate an explosive. They're just the database
provider.

~~~
Sniperfish
The Google relevance is server location, if outside of UK and if outside EU
various data protection laws at each level would appear to have been breached.

------
adamrneary
The shame of all of this noise is that resources going into medical research
today ends up getting spent on data security and building expensive, custom
solutions that avoid using servers of a certain type or location in the name
of privacy.

Sure, it would be more secure to conduct medical research without using
computers at all, but what about all those people dying of nasty diseases? If
I had 6 months to live, I probably wouldn't mind these "criminals" trying to
find me a cure.

Instead, we have a deafening din of screaming about data privacy and little or
no mention of the benefits of the medical research itself. If people could
calm down a little bit about Big Brother, these guys could spend more time
doing their jobs, helping sick people.

~~~
anon1385
Medical data is a great tool but the problem is that these stories are
poisoning public good will. There is no point telling people to calm down when
they have just learned that records of every meeting they ever had with their
doctor were available on the public internet and identifiable to anybody who
knows their address and DOB. That is something that people rightly get upset
about.

Additionally, it's not like these events are all just accidents or
incompetence. The UK government made a policy decision to sell medical records
to insurance companies[1].

 _Also, is it really true that release to the insurance industry is
unacceptable to the HSCIC? Its own information governance assessment from
August says that access to individual patients records can "enable insurance
companies to accurately calculate actuarial risk so as to offer fair premiums
to its [sic] customers. Such outcomes are an important aim of Open Data, an
important government policy initiative."_[2]

[1] [http://www.telegraph.co.uk/health/nhs/10659147/Patient-
recor...](http://www.telegraph.co.uk/health/nhs/10659147/Patient-records-
should-not-have-been-sold-NHS-admits.html)

[2] [http://www.theguardian.com/commentisfree/2014/feb/28/care-
da...](http://www.theguardian.com/commentisfree/2014/feb/28/care-data-is-in-
chaos)

~~~
timthorn
Not underplaying at all - your point is spot on - but this data only relates
to hospital attendances and not GP interactions. Currently GP interactions are
not available in the database, and that's the point of care.data.

~~~
anon1385
Sorry. Yes you are quite right.

When I said public internet I was actually referring to the things Ben
Goldacre has been tweeting (
[https://twitter.com/bengoldacre/status/440475049880195073](https://twitter.com/bengoldacre/status/440475049880195073)
) and I'm not sure which data set he is talking about.

------
clienthunter
Government privacy breaches are one of the things I despise most about current
Western society. I am - day in, day out - one of those guys calling for
ministerial blood.

However I have long thought that proper open access to health data could be as
revolutionary as, say, antibiotics. The government can do whatever the hell
they like with my data - on the condition that _anyone_ else can too.

Can you imagine what insights could be gained with canonical graph schemas for
individual (but (pseudo|a)nonymised) health records and a bit of
statistics/ML? I think it would change the world, but it will _never_ happen
unless people like us get our hands on it. No amount of management consultants
will innovate on the same scale as the tech community; saving lives through
Github and AWS sounds like the only thing I'd do with my weekend.

On a side note, I think the same argument could be applied to a great many
public services. I recently emailed my doctor a letter from one of my private
doctors in PDF format for addition to my records. Can you guess what happened
next? Yep, he printed it out and gave it to a secretary to scan it back in,
because the Java app that manages this stuff has very tightly controlled
boundaries. Shortly after that I overstayed on a trip to a different part of
the UK and desperately needed a top-up of my meds. The solution? Print a
prescription and mail it to the pharmacy by next-day post, because Scottish
NHS and English NHS computers are _incapable_ of communicating with each
other. How long would it be after going open source before all this BS is
obliterated? I'm thinking months.

~~~
buro9
> The government can do whatever the hell they like with my data - on the
> condition that anyone else can too.

Wonderful.

Now consider how a potential employer might use your data:

Have you ever seen a GP for stress or mental health issues? Oh, maybe we are
dis-inclined to hire you.

Suffer from back pain? Well that's one of the most given reasons for needing
time off from work, which means you are a liability and we won't hire you.

Or even a business looking for partners:

Of these two evenly matched companies, this one over here has a CEO that has
seen his Dr for stress and has had heart attacks in the past... he can't take
the pressure and will be taking it easy when we need aggressive, let's go with
the other one.

That's before you even touch what insurance companies will do, or whether
schools will look into the mental health of little Timothy's family before
determining whether to let the child into the school, or what retirement
facilities might be available to you at what cost when you're 75+.

Once out in the open, this data is free for everyone to use. And it's going to
be hard to then restrict how it is used by trying to bolt one gate after
another.

~~~
clienthunter
Although I didn't say it explicitly in the particular sentence you quoted, I
did say (pseudo|a)nonymously just after. I'm not suggesting identifiable
health records should be searchable by all!

You raise interesting points. I think you are quite correct in saying these
things are likely to happen. But I wonder whether hiding such information is
actually the most efficient strategy. I mean if some divine power gave us all
the ability to see inside each others minds, and ergo all the bullshit, lies,
and politicking that makes up a great deal of human interaction was to
evaporate, wouldn't the world be a better, more forgiving place? Obviously
this is all a bit esoteric, and the game-theoretical analysis of moving from
the status quo to a world of almost creepy honesty would almost certainly show
that it could never happen, but I find it a useful thought nonetheless.

~~~
yuhong
I said before that I do want the problems with using real names to be fixed.
And I am thinking that insurance for periodic doctor visits is probably
flawed.

------
samwillis
PA has a history of not looking after UK Government data very well, they
famously left a USB stick on a train with alot of confidential data on it....

[http://news.bbc.co.uk/1/hi/7575989.stm](http://news.bbc.co.uk/1/hi/7575989.stm)

~~~
swombat
Leaving a USB stick on a train is one thing. Spending weeks to upload 27 DVDs'
worth of confidential health data to Google servers is quite another! One is
negligent. The other is, imho, criminal.

------
shocks
I shall be writing to my local MP about this, I'd encourage anyone else to do
the same!

~~~
collyw
I agree its the right thing to do, but I have very little faith in it making a
difference.

~~~
bananas
This. Boilerplate reply and a permanent filing in the cylindrical filing
cabinet awaits. If you're lucky, they'll use it to lean on whilst writing a
cheque to the guy who just installed a duck house in their pond at your
expense...

~~~
shocks
Funny. I've written to several of my local MPs and always received a direct
response regarding the issues I have raised.

How many times have you received boilerplate replies?

~~~
bananas
Three times now to three different MPs. Gave up then. Glad you got something
more.

~~~
shocks
I'm actually sorry to hear that. What topics were you contacting them about,
if you don't mind my asking? I wrote about private issues, copyright and
digital rights issues, and various local council issues (fences and paths). I
got a good response every time.

It would be cool to compile a list of responsive and unresponsive MPs…

~~~
bananas
So was I at the time. It dented my confidence in politicians. This was then
immediately followed by the expenses scandals in which one of the MPs I
contacted was implicated.

Three different MPs. The issues were about planning permission being denied
for a structure that everyone else down the road has, an issue I had with the
CPS who lost the evidence after I was stabbed and refused to formally charge
the person and the reduction of the number of parking spaces in my area by 50%
resulting in people fighting in the streets over spaces (literally!).

Privacy, copyright and digital rights issues, I vote with my feet.

With other issues, I wield a solicitor now. It's a much better use of time and
money and that is saying something.

------
noir_lord
I've very carefully opted out of every single program that the NHS has created
for digital records going back years.

Whether that has done any good I have no idea but I do have signed letters
from all relevant organisations (Doctors surgery) saying that I've opted out.

This does have legal battle written all over it.

------
nickbauman
Don't the British have something like HIPAA in the US? If so PA Consulting
would have had to follow those rules when using Google's infrastructure.
Google's infrastructure passes many security levels and has just about every
security certification (up to but _not_ including ITAR). There's nothing
inherently insecure about doing this as long as they follow the rules. What
are the rules about this over there?

------
UVB-76
A second scandal is now emerging out of this, as digital mapping firm
Earthware are accused of posting HES data in Google maps form on its website
for all to see.

[1] [http://www.independent.co.uk/life-style/health-and-
families/...](http://www.independent.co.uk/life-style/health-and-
families/health-news/new-nhs-scandal-as-digital-mapping-firm-earthware-is-
alleged-to-have-of-posted-hospital-records-in-google-maps-form-possibly-
allowing-the-identification-of-patients-9166633.html)

[2] [http://www.hscic.gov.uk/article/3947/Statement-Use-of-
data-b...](http://www.hscic.gov.uk/article/3947/Statement-Use-of-data-by-
Earthware-UK)

~~~
linlea
Earthware's statement claims that they used mock data

HES Data Map Statement 3 March 2014 18:55 GMT. Earthware was contacted this
morning by the HSCIC regarding a demo online map we had created to demonstrate
how HES data might be displayed in a mapping environment.Earthware immediately
withdrew this map from our website upon request from the HSCIC. Earthware
would like to clarify the following: The map displayed mock data held by a
third party who provided this data to Earthware via a web API. We do not hold
nor have we ever held HES data on our servers. No patient identifiable data
was ever displayed on the map. Earthware are confident that we have not
breached any legal or regulatory rules regarding the licencing or publication
of HES data. We will continue to co-operate fully with the HSCIC if required.
[http://www.earthware.co.uk/](http://www.earthware.co.uk/)

------
bostik
Interestingly enough, the company behind this cluster#### has previous and
proven record of similar behaviour.[1][2] Sure, it takes conscious effort to
upload multiple DVD's worth of data, which already rules out accidents - but
because this is not an isolated incident, I wouldn't rule out corporate policy
of willful neglect either.

"Fined and fired" is not a sufficient deterrent.

1\.
[http://www.theregister.co.uk/2008/09/11/pa_consulting_home_o...](http://www.theregister.co.uk/2008/09/11/pa_consulting_home_office_plea/)

2:
[http://www.scl.org/site.aspx?i=ne9297](http://www.scl.org/site.aspx?i=ne9297)

------
kabdib
27 DVDs = not a lot of data. What were they doing, transcoding through paper
tape?

~~~
nly
> The data set was so large it took up 27 DVDs and took a couple of weeks to
> upload.

27 * 8 GiB (DVD-9) / 2 weeks = ~1.5 Mbps. Yep, that's British broadband bought
from the lowest bidder.

~~~
srj
I think it's tough to say. There's considerable overhead to packeted traffic.
Also it sounds like they had a simple setup so there would be a delay in
exchanging the DVDs after each one finishes. Uploads probably finished over
the weekend with nobody there to start the next one too.

------
binarymax
Once the data enters the US, it is subject to HIPAA. PA is criminally liable.

~~~
angersock
So, that's an interesting question, right?

If it's UK data, from the UK .gov, being stored to a server whose hardware is
in the US, to be worked on by a UK consultancy, should it actually be subject
to HIPAA?

Jurisdiction in the Internet is tricky business.

------
higherpurpose
The risk of a "privacy disaster of unprecedented proportions" for NHS data was
predicted by Glyn Moody just 3 weeks ago on TechDirt:

[http://www.techdirt.com/articles/20140207/09552726132/uk-
pol...](http://www.techdirt.com/articles/20140207/09552726132/uk-police-
companies-will-have-access-to-database-all-englands-medical-records.shtml)

------
calbear81
> The data set was so large it took up 27 DVDs and took a couple of weeks to
> upload.

Really? 27 DVDs worth of data is only about 127GB of data and it tooks weeks
to upload? I'm on a standard Comcast cable line and I could probably upload
that in a few days at most.

------
suprgeek
All that is now needed is to cross reference it with the ridiculously
extensive CCTV footage that the Govt. in Britain has collected & continues to
collect everyday.

Perfect Surveillance at a granularity that was not possible before.

~~~
twic
No no no - perfect _healthcare_ at a granularity that was not possible before!
Plays much better with the voters!

~~~
suprgeek
You may have a great future in Politics!

------
UVB-76
Official statement: [http://www.hscic.gov.uk/article/3948/Statement-Use-of-
data-b...](http://www.hscic.gov.uk/article/3948/Statement-Use-of-data-by-PA-
consulting)

------
blueskin_
For fuck's sake.

I opted out of 'care.data' (what a stupid name), and now I find out my data
was breached anyway?

I wonder if leaked people can start a class action lawsuit.

------
kleiba
"Nonsense! We never uploaded any data to Google servers, we just put it in the
cloud!"

------
apoz
It took weeks to upload? Never underestimate the bandwidth of a station wagon
full of tapes...

~~~
collyw
We were shipping hard disks between the States and Spain. Unfortunately
Spanish customs can make the delay unreasonably large (especially when someone
put the value of the drive at $100).

~~~
pbhjpbhj
> _(especially when someone put the value of the drive at $100)_ //

Is that wrong? I see a Seagate Baracuda 3TB on Amazon at $110. Do you mean it
should have included the data value or that they inflated the price or what?

~~~
collyw
Yes, but the drive wasn't what had the value (it was second hand). It got sent
back afterwards.

It was publicly funded research data, to be processed and uploaded to the
Genome Browser at UCSC. Had someone just put zero on it I think it would have
gone a lot more smoothly.

