A closer look at the PA Consulting and NHS patient medical records debacle

According to explosive allegations from prominent Tory MP Sarah Wollaston, the consulting firm PA Consulting may have conducted one of the largest and most serious data breaches in history by uploading 27 DVDs worth of patient medical records into Google BigQuery. Google BigQuery is a cloud-based big data analysis suite that’s designed to quickly parse huge data sets in seconds to return useful information.

The allegations against PA Consulting are particularly damning at the moment. A month ago, it was announced that the National Health Service would begin selling data to health insurance companies and pharmaceutical manufacturers. This provoked a firestorm of controversy that hasn’t been assuaged by promises to anonymise the data. So-called “anonymising” techniques have proven pitifully easy to break in most cases. Studies have shown that 87 per cent of Americans can be uniquely identified using just three pieces of data – birth date, gender, and zip code. The British scheme provoked further protests by being opt-out rather than opt-in.

The leak

The Guardian, quoting Wollaston, states that PA Consulting uploaded the “entire start-to-finish HES [hospital episode statistics] dataset across all three areas of collection – inpatient, outpatient and A&E.” It further testifies that the data set was the size of 27 DVDs, took weeks to upload, and quotes unnamed management consultants as saying: “Within two weeks of starting to use the Google tools we were able to produce interactive maps directly from HES queries in seconds.”

The problem with PA Consulting is that the company waves away security concerns at every step. It blithely promises that it bought this data from the NHS but took “certain security restrictions.” It states: “As PA has an existing relationship with Google, we pursued this route (with appropriate approval). This shows that it is possible to get even sensitive data in the cloud and apply proper safeguards.”

Literally the only proof provided in PA Consulting’s documentation that the safeguards are appropriate or thorough is the use of the word “appropriate.”

In the wake of the story, PA Consulting has testified that it purchased the Health and Social Care Information Centre (HSCIC) through appropriate channels, that the data is secured appropriately, and that the information was safeguarded according to government standards. The HSCIC has released its own statement confirming this to be the case. Unfortunately, the HSCIC has previously acknowledged that its own recommended “best practices” for anonymising data may not be up to the job.

It’s not clear if this is the end of the story – some sources have hinted that there are far worse announcements to come. From the shape of things at the moment, PA Consulting (the firm's ad copy is shown below) may not have broken the law. But the sober takeaway here is that when it comes to grinding down your personal data into sellable chunks, the collaboration between governments and corporations has nothing to do with serving you, the original owner of said information.

If the goal was to balance the genuine privacy concerns of the individual against better insight into medical costs or drug treatments, the government would have created a new set of ironclad anonymising practices, while the consultant group would have bothered to explain its precautions when handling this information. Instead, we’re told that we should trust PA Consulting’s relationship with Google, as if Google had been chosen to host this information through an open bidding process and in direct partnership with the NHS itself.

Google’s BigQuery is not the problem. The problem is that these partnerships and cooperative efforts have been negotiated like backroom deals. The US isn’t much better off when it comes to this topic, either – the country’s HIPAA (Health Insurance Portability and Accountability Act) laws may be slightly tighter, but the NSA’s obsessive wiretapping and spying have destroyed any claims America might once have made about its respect for citizen privacy.

The most damning thing about this story is that, if the current explanations hold, there may quite simply be nothing anyone can do about this.