The Department of Health and Social Care has been selling the medical data of millions of NHS patients to international drugs companies, according to reports.
Senior NHS figures told the Observer that patient data compiled from GP surgeries and hospitals, which is then sold for huge sums for research, can routinely be linked back to individual patients’ medical records via their GP surgeries.
They said there is clear evidence this is already being done by companies and organisations that have bought data from the department, having identified individuals whose medical histories are of particular interest.
Concerns that the data is not truly anonymous have been raised by senior NHS officials, but the DHSC insisted it only sells on information after thorough measures have been taken to ensure the complete anonymity and confidentiality of patients’ personal information.
Asked if it was right to say that the patient data was anonymous, Professor Eerke Boiten, director of the Cyber Technology Institute at De Montfort University in Leicester, said: “The answer is no, it is not anonymous. If it is rich medical data about individuals then the richer that data is, the easier it is for people who are experts to reconstruct it and re-identify individuals.”
The NHS has previously faced claims that medical data from millions of patients has been sold to insurance companies.
Phil Booth, coordinator of medConfidential, which campaigns for the privacy of health data, argued the public was being betrayed by claims that the information could not be linked back to individuals. “Removing or obscuring a few obvious identifiers, like someone’s name or NHS number from the data, doesn’t make their medical history anonymous,” he said. “Indeed, the unique combination of medical events that makes individuals’ health data so ripe for exploitation is precisely what makes it so identifiable. Your medical record is like a fingerprint of your whole life.”
Neil Bhatia, a GP who is Information Governance Lead and data protection officer in Hampshire, added that truly anonymous data – utterly incapable of being traced back to an individual – is very hard to achieve, given that there is so much information about us in the public domain and held by companies such as Facebook and Google.
“In fact, it’s almost impossible for record-level data (where each line of the dataset corresponds to an individual) to be made truly anonymous,” he said.