Published on September 2nd, 2015 | by Carsten Maple


The Privacy of Medical Data

The benefits of having medical data in electronic format is clear – the patient benefits because we can transfer data quickly to assist in prognosis and diagnosis, and we can monitor the efficacy of treatment.  For the doctors, we can study epidemiology and organise treatment for a population. The government clearly sees the benefit of shared health data.  Indeed the NHS has been collecting data on hospital stays since 1989.  These hospital episode statistics (HES), as they are known, were useful in revealing both the Bristol heart and Mid-Staffordshire scandals.

However, when the NHS tried to increase the collection of this data, to include details of patient interactions with GPs, the so-called project, there was public concern regarding the privacy of medical data and who would have access to this.  The British Medical Association, privacy campaign group Big Brother Watch and the Association of Medical Research Charities all criticized the project.  The project, due to start last year, was initially postponed for six months.  After much more than six months, it now appears to be progressing.  Blackburn with Darwen, the furthest down the line of the four “pathfinder” trials, is currently writing to patients of a number of its practices.

How patients respond is yet to be seen, but it does again raise the issue of privacy and security of medical-related information.  It appears that most of us want our private medical data to remain just that – private.  Keeping our data private is not that easy it seems. In March this year, North Tees and Hartlepool NHS Foundation Trust has been ordered by the Information Commissioner’s Office (ICO) to review its data protection policy after a file containing sensitive patient information was found at a bus stop.  This is not an isolated incident by any means.  Between April 1, 2014 and March 31, 2015, there were 1,814 data breach incidents reported to the ICO.  Of these, a staggering 747 (or 41%) of the incidents were from health organisations.  I am sure if this was widely publicised, there would be an outcry.  Or maybe not.  Maybe we are now becoming desensitised to data loss.  Hardly a week goes by without us hearing of some new information loss.  Or maybe there won’t be an outcry because attitudes have changed and we no longer care who can see our medical information.

People are increasingly sharing their clinical and non-clinical data.  Indeed, some have gone to great lengths to make their own medical data available.  In 2012, Salvatore Iaconesi put his own medical records online very deliberately.  He had been diagnosed with brain cancer and wanted to enlist the help of others for “cures for the body, for spirit, for communication.”

There has also been growing interest in the Personal Genome Project. (PGP). PGP, established at Harvard University, aims to attract 10,000 volunteers and will make publically available over the Internet their information including full DNA sequence, medical records, MRI images and medication.  They are over a third of the way to attracting the number of volunteers they would like, and UCL are now running a UK version of the project.

I regularly see on social media how far some of my friends have been running and cycling.  This data has come from an app on their mobile phone, or a fitness bracelet, or some other smart devices.  And they are happy to share that information with me.  However, I wonder how many of them realise who else they are sharing their information with.  A recent report by Symantec found that some of the devices and applications they considered were sending data to up to 14 different remote services.  What these services were then doing with the data is out of the control of the person wearing the device.  Information that was collected or inferred went beyond how far and where somebody ran, and included data on drugs and medicine, sexual activity, menstruation, allergies and moods.  But that isn’t the only information transmitted.  Twenty percent of the fitness apps transmitted unencrypted passwords.  Given that my friends are very security-conscious I’m sure they don’t use those passwords for any other services!

So perhaps people who read this will not be concerned that there were nearly 750 incidents where medical confidentiality was breached, in a single year.  After all, we seem less concerned about keeping our health data private than we were a year ago.  Or maybe it’s just that we are not aware of who is seeing what.


Professor Carsten Maple is Professor of Cyber Systems Engineering. He is the Director of Research in Cyber Security working with organisations in key sectors such as manufacturing, healthcare, financial services and the broader public sector to address the challenges presented by today's global cyber environment.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑