Thought Care.Data was scrapped? Your Private Medical Records Will Be Shared With or Without Your Permission
By Graham Vanbergen – Remember Care.data? You would think that reading this – “NHS England is scrapping its multimillion-pound Care.data programme which aimed to share patient information across the NHS” that the scheme had in fact, actually been scrapped.
The new announcement, by life sciences minister, George Freeman, comes after a government ordered review from Dame Fiona Caldicott who said ministers should look again at the future of Care.data. At this point privacy advocates may well have thought that a clear victory had been won. But reviews do not mean scrapping, it simply means finding another way.
To recap – Care.data was a government initiative that aimed to take the patient records from GPs’ surgeries and add it with existing data already collected by the NHS data centre, called HSCIC. The idea was that the single combined database would be used for future NHS planning needs, medical research but worryingly, also commercial exploitation. It was here that Care.data seemingly met its end. In the meantime, the 2012 Health and Social Care Act ensured that any data sharing would be legal. This even went as far as providing full protection in the absence of patient consent, which of course no database management system can ever guarantee.
It was not surprising that the public reacted badly to Care.data. The sharing of information included; drug and prescription use, mental health, hospital visits/reasons/action, learning disabilities, psychological therapies, screening, sexual and mental health – amongst a long list of other conditions. In 2013, Jeremy Hunt, the Health Secretary, eventually assured the public that patients would be allowed to opt out of allowing their most private and intimate health data being shared by way of a doormat delivered leaflet. (also See video at 14mins 50 HERE).
Get Briefed, Get Weekly Intelligence Reports - Essential Weekend Reading - Safe Subscribe
In round one of the pilot scheme, those people who had opted out of the scheme to ensure their privacy, did not realise that the upload of GP data to HSCIC never actually happened. To make matters worse, approximately 700,000 patients chose a different opt-out that prohibited any data sharing but, even though the opt-out was applicable immediately, it was then disregarded by HSCIC until April 2016.
The result of this mess was a total pullback by the government amid patient and privacy advocate objection.
Dame Fiona Caldecott recommended a new format. In her new new proposals, medical records from GPs’ surgeries will be sent to HSCIC without patients’ consent in the first place. That gets rid of problem one. The report argues that HSCIC is a safe haven for all medical data, which is of course it can’t be if it is to be subsequently shared. A whole host of other reasons recommended in the report also means that opt-outs by patients are severely limited and that gets rid of problem two. In addition, opt-outs will not be required for so-called ‘anonymised data’, which formed part of the objections in Care.data as much of the data was in fact so detailed that making it personal was not a problem for the determined (such as insurance companies). This gets rid of problem three.
Although the Calidicott report excludes the use of personal data for commercial exploitation there are already a number of private medical organisations working within the NHS as part of the privatisation drive that will have access to the data anyway.
What this new proposal clearly shows is that the government plans to proceed with its Care.data successor, which appears to be a “single GP dataset”. Basically, Care.data without the opt-outs or legal protections. Due to the highly limited ability of patients to opt-out, this new plan would fall foul of the new European data protection law’s rules of consent i.e. that a “clear affirmative action” is required, in this case by the patient.
Although Caldecott’s report makes a number of security recommendations, ten to be precise, anyone in such a position should responsibly look at the facts when it comes to security of data regarding healthcare. This is because private healthcare organisations will do almost anything to acquire the data as it would prove very, very profitable.
To demonstrate just how much, just look at what is going on the United States. In 2015 alone, the private medical records of 35% of the entire adult population was hacked and/or stolen. As Forbes reported just 7 months ago “The bulk of the breaches–about 38%–were reported as “Unauthorized Access/Disclosure,” but fully 90% of the top ten breaches were reported as a “Hacking/IT Incident. As a category, “Hacking/IT Incident” represented 21% of all breaches. The other top category was “Theft” at 29% of all breaches.”
What this really means is that nearly 115 million American’s had their personal healthcare data stolen. To make matters worse, of the 18,000 complaints received by just one department of private healthcare data breaches, only six were prosecuted.
Security experts in the US predict 1 in 3 patients will have their private information stolen during 2016 and as the IDC Health Insight Group chillingly states quite clearly “those bad guys will mine the health care industry’s data to steal patient records and personally identifiable information to commit health care fraud”.
The Forbes article goes on to say that in a recent study it estimated that breaches of privacy data cost the healthcare industry about $5.6 billion annually. As healthcare moves toward connected care (as proposed by Care.data and its proposed successor) the amount of data exchanged between organizations will only grow.
In the meantime, the government is going ahead with the sharing of private health information for British patients, with or without your permission and the target for implementation as fully outlined in the “Workstream 2.2 Roadmap” is by no later than March 2020.