
NHS patient data to be made available for sale to drug and insurance firms - sbellity
http://www.theguardian.com/society/2014/jan/19/nhs-patient-data-available-companies-buy
======
xedarius
This information will only be used to cause harm and bring misery to people
when they need help the most.

I have private medical insurance through my work. Last year I made two claims,
which were covered by the insurance company. However after the second claim
they sent me a letter requesting access to my medical records. Obviously I
told them to fuck off as they're an insurance company and have no business
poking through my medial history.

This data probably shouldn't ever exist, but if it's going to, it should be
anonymous.

Going to see if I can opt out ... somehow.

~~~
Angostura
This information _could_ invaluable to the medical research community as a
whole and _shouldnt_ have any adverse consequences for individual patients if
suitably anonymised.

Currently I don't have sufficient information to judge whether I need to opt
out or not so I'm withholding judgemeny.

~~~
mrich
Making that data truly anonymous so that you cannot de-anonymize it with other
data sets is likely impossible. You would have to remove so much that the data
becomes useless.

------
benjamta
The NHS provide shockingly little information on how to opt out. The leaflet
that came through all our doors about this was vague. There is no _official_
form, they just suggest you talk to your surgery. Legislation passed in 2012
allows the NHS to use our data with out first seeking our consent.

So that's what I did. Because they don't give this scheme a name, it's hard to
talk reception staff about exactly what it is you want to opt out of. They
were very understanding, but left me with forms to opt out of the Summary Care
Record which is not the same thing. Even if you've already oped out of the
Summary Care Record you must still opt out of this.

An email to the practise manager did the trick though. I asked by what
mechanism they achieve the opt out, as it all seem very vague. A very helpful
and prompt response explained that a change has been made to the access
conditions of my record in System One (the monolithic care record system) such
that it can't be used for this purpose.

All of which is great. But this scheme should clearly be on an _opt in_ basis.

~~~
kintamanimatt
And what happens if someone has medical records in the UK but no longer lives
there? They'd never receive the notice and not have a UK GP to contact to opt
out!

------
nodata
"The extracted information will contain NHS numbers, date of birth, postcode,
ethnicity and gender."

Yikes! Date of birth AND postcode? Pseudoanonymous that is not.

~~~
exDM69
Even if this data (date of birth, postcode, etc) would be removed, it would
still be rather trivial for e.g. an insurance company to match these records
to their customers. Given one or two insurance claims for doctor's
appointments, matching the medical records for identical dates is enough to
pinpoint a person with adequate certainty.

Then the insurance company can grep the records for mentions of smoking,
drinking, drug use or injuries related to dangerous activities like riding
horses, motor racing or skiing. Now that the insurance companies can identify
patients in these risk groups, they can proceed to doubling the insurance fees
of these people.

I think that the insurance companies should not be able to access medical
records like this.

edit: please excuse my ignorance on the UK health care system. In my country,
you pay a fixed fee when using public health care and you can claim insurance
on that.

~~~
lclarkmichalek
Do people regularly claim on insurance for NHS doctor's appointments? I know I
never have. Regarding the smoking etc, I'm pretty sure that health insurance
companies ask if you smoke (and yes, double the cost if you say yes), and
giving a lying counts as insurance fraud. Due to that, I'm not too sure how
relevant the NHS records would be, other than in cases where someone has lied,
in which case I'm not too inclined to feel sorry for them.

~~~
russss
I don't think there are any UK health insurance companies which allow you to
claim for NHS doctor's appointments.

Presumably if you have a health insurance plan which covers private doctor's
appointments, they get a copy of the doctor's notes anyway.

~~~
michaelt
Several insurance companies will pay a cash incentive to use NHS services
rather than claiming on your insurance [1]. For example if you need to stay
over night in hospital and choose an NHS hospital instead of a private one
they will give you £50 or more per night.

[1]
[https://www.google.co.uk/search?q="NHS+cash+benefits"](https://www.google.co.uk/search?q="NHS+cash+benefits")

~~~
arethuza
Nice - my employers private health care insurance includes this and I had
never noticed!

Mind you I wonder when it would ever apply - if you have a non-emergency then
you will choose to go to a private hospital, if it is an emergency then you
don't have any option but to go to an NHS hospital...

Maybe for people who are covered by private health care but aren't close
enough to a private hospital to actually use it?

~~~
mistakoala
It's presumably the incentive of not using non-NHS facilities (which the
insurance company would have to pay for as part of your cover). £50 to stay in
an NHS ward vs a bit more to stay in an en-suite room in a private hospital.

If I had insurance, I know for sure which I would be choosing.

------
ig1
It's unclear why they didn't get the UK Data Service to handle this, who have
extensive experience in anonymization and data control (they handle the
processing of census data and HMRC tax information by external researchers
among other things).

~~~
ealexhudson
The data gets held in N3 which is an entirely separate system/network, and has
a much higher set of standards than UKDS would largely be used to using. HSCIC
are well used to doing this as well.

~~~
ig1
It may be that the Guardian is misreporting it, but from their description the
data level is far less anonymized than what I've seen when working with UKDS
data.

------
jamessb
The care.data program was also the subject of an editorial in this week's
issue of Nature [0]

Ross Anderson has a blog post with links to more details [1], including a PDF
of how the patient information leaflet 'should really have been drafted' [2]
(quite different to how it was - [3]).

[0] [http://www.nature.com/news/power-to-the-
people-1.14505](http://www.nature.com/news/power-to-the-people-1.14505)

[1] [http://www.lightbluetouchpaper.org/2014/01/08/opting-out-
of-...](http://www.lightbluetouchpaper.org/2014/01/08/opting-out-of-the-
latest-nhs-data-grab/)

[2]
[http://www.cl.cam.ac.uk/~rja14/Papers/caredata_trifold.pdf](http://www.cl.cam.ac.uk/~rja14/Papers/caredata_trifold.pdf)

[3]
[http://www.nhs.uk/NHSEngland/thenhs/records/healthrecords/Do...](http://www.nhs.uk/NHSEngland/thenhs/records/healthrecords/Documents/NHS_Door_drop_26-11-13.pdf)

------
Fuxy
I will be opting out of this thank you very much.

I don't like my insurance company knowing my health status.

If insurance companies are not willing to take risks their in the wrong
business.

I want to be able so see who accessed my information so i am able to prove
with certainty when a insurance company discriminates against me.

Plus the reason they claim they accessed it would be very important when i
demonstrate their misuse of the data.

~~~
HNSHITSAYS
>>>"I don't like my insurance company knowing my health status."

Are you joking? Insurance companies have/need access to all the data about
you, otherwise they won't be able to pay providers for the services.

This is equivalent of Tea Party activist proclaiming "Keep government out of
my Medicare".

These Privacy FUD articles bring out the worst of HN.

~~~
escapologybb
I'm not sure if you read the article, but I'll assume you have and you missed
the part where this was about the NHS in England.

My healthcare when I turn up to hospital in the UK isn't being paid for by an
insurance company, it is - basically - funded through taxes and administered
through central government.

Hope that clears it up for you.

------
blueskin_
Long article without the one piece of information I wanted: How to opt out.

Edit: [http://medconfidential.org/how-to-opt-
out/](http://medconfidential.org/how-to-opt-out/)

~~~
nmc
9th paragraph:

 _" unless people choose to opt out via their family doctor "_

~~~
blueskin_
That's both useless and inconvenient. Their site even says a doctor might not
actually do it, and having the optout so hidden in that way would violate the
spirit of not the letter of the Data Protection Act. It's also a huge waste of
time and money on the NHS, which is already expensive and overstretched.

------
davb
It's worth noting that this appears to only affect NHS _England_.

~~~
arethuza
Well spotted, I think we all tend to forget that there are actually 4 separate
NHSs in the UK - one each for England, Scotland, Wales and Northern Ireland:

[http://en.wikipedia.org/wiki/National_Health_Service](http://en.wikipedia.org/wiki/National_Health_Service)

------
sleepyK
Well, just one more step forward in Britain's unrelenting stride towards
becoming a total surveillance state. :/

Once the data is commercially available, it'll be sure to lead to even more
targeted marketing, and discrimination by insurance firms.

Edit (couldn't resist :P)

England Prevails!

------
mistakoala
Oh noes! Those baby-eating Tories are selling our souls!

But it will be _just fine_ when a Labour government floats the idea.

[http://www.telegraph.co.uk/health/3022434/Private-
companies-...](http://www.telegraph.co.uk/health/3022434/Private-companies-
could-get-access-to-millions-of-NHS-medical-records.html)

------
ealexhudson
This is mostly a good thing. The NHS is of course a huge trove of valuable
information, but there are some incredibly compelling reasons to make it
available to anyone who can improve patient care - start-ups should be
interested in this too.

~~~
tomp
In an ideal society, I totally agree. However, in today's world, such data
will mostly be exploited by health insurance companies, credit rating
agencies, employers, and paparazzi. Unless, of course, the government(s) pass
laws that protect the rights of the people and limit the influence of the
industry, but that is rather the opposite of what has been happening recently.

~~~
Silhouette
It's not so much health insurance companies I'm worried about, as they will
probably have access to medical information about their clients anyway, and
organisations like BUPA probably do take patient confidentiality seriously.

I'm more concerned about other forms of insurance, and about links to people
related to you and not you personally. For example, what if people start
getting a higher car insurance quote because someone in their household had an
alcohol problem a few years ago? What if parents start getting refused life
insurance because someone's sibling died young from an unlucky genetic
problem?

Plus there are the obvious concerns if employers or their
representatives/trade bodies can get hold of this kind of data and
discriminate in dubious ways when making hiring decisions (sorry, we don't
hire anyone who ever had a drug problem, even if they've been clean for a
decade), media people going after celebrities/politicians/crime victims (that
rape victim was _obviously_ a slut, look at the two STIs she's had in the past
five years), and so on.

~~~
tomp
I agree, except for the last one, which I'm not concerned about - in an
open/transparent society, such "problems" (slut/drug abuser/B&D/...) would not
be considered problems any more, but only "life phases"/"exploration
periods"/"lifestyles" \- after all, when everybody is "weird" in one way or
another, nobody is really weird any more.

It's only the commercial exploitation I'm worried about - it has a lot of
potential to meaningfully impact human lives, usually for the worse, and often
because of things said humans have no influence on.

Though for those living in totalitarian/fascist societies (e.g. gays in
Putin's Russia) have much better reasons to be concerned.

------
plg
re: the risk of insurance companies using the data to reconstruct identities:
Mark Davies, the centre's public assurance director says "I think it is a
small, theoretical risk"

this guy is either (a) a liar or (b) horribly naive or (c) misinformed by his
experts (or all of the above)

Even if the data are "pseudonymised", if they still contain age, gender,
ethnicity, postal code, and even a small smattering of medical info (or other
info) then it's pretty much a done deal to link the records back to a person.

Think of it this way as well : even if they can "only" narrow down a given
record to 100 people, so what? They just treat those 100 people the same (i.e.
poorly).

This sets a horrible precedent. One's medical records ought to be one's
personal, private property, and any release of such ought to be with the
express permission of the owner (i.e. the patient).

------
kevcampb
I read this article and was astounded there wasn't a massive outcry about
this. Then I dug around some more and it seems the guardian article is really
quite misleading.

There is a Health Service Journal article at
[http://www.hsj.co.uk/comment/more-patient-data-ultimately-
me...](http://www.hsj.co.uk/comment/more-patient-data-ultimately-means-better-
care/5066865.article#.Ut3Ef2SwqS4) which gives more details.

The "pseudonymised data" is also referred to "amber data" and does not contain
the postcode, DoB or NHS number of the patients.

The "red data" which contains this additional information is not available to
3rd parties except in exceptional circumstances - eg: a national emergency
with an outbreak of some deadly disease where the government is trying to
contain it.

------
TomLTomL
Information on how to opt out here: [http://medconfidential.org/how-to-opt-
out/](http://medconfidential.org/how-to-opt-out/)

38 degrees petition here: [https://you.38degrees.org.uk/petitions/prevent-the-
sale-of-n...](https://you.38degrees.org.uk/petitions/prevent-the-sale-of-nhs-
patient-records-to-drug-and-insurance-companies-1)

Further information here: [http://www.care-data.info/](http://www.care-
data.info/)

Epetitions (official govt site) petition here:
[http://epetitions.direct.gov.uk/petitions/53994](http://epetitions.direct.gov.uk/petitions/53994)

------
Flenser
HSCIC Privacy Impact Assessment 2013:

[http://www.hscic.gov.uk/media/12931/Privacy-Impact-
Assessmen...](http://www.hscic.gov.uk/media/12931/Privacy-Impact-
Assessment/pdf/privacy_impact_assessment_2013.pdf)

------
throwwit
>> "NHS patient data to be made available for sale to drug and insurance
firms"

read as: Private NHS data given to companies to improve bottom lines and
discover new revenue streams

