GE Healthcare comes clean over NHS data leak

News 16 Apr, 2012

Technology provider speaks out following reports it posted details about 600,000 NHS patients to overseas servers.

GE Healthcare is to review its privacy procedures, after the firm was accused of collecting data from 600,000 NHS patients and posting it abroad.

In a report on the Sun's website, it is claimed that clinical records about patients’ height, weight and age were collected by the firm and saved to servers in the United States.

GE Healthcare is responsible for supplying technology to the NHS, including imaging, diagnostic and patient monitoring tools.

We are confident that this data was not lost, hacked, misused or stolen

In a statement to IT Pro, GE Healthcare confirmed that it had collected more data than it needed, but insisted that all of it could be accounted for.

“GE Healthcare recently learned that we obtained more patient data from our diagnostic imaging products than we needed to perform services for our customers,” the statement read.

“We immediately undertook an extensive analysis using outside experts, and we are confident that this data was not lost, hacked, misused or stolen.”

The firm also claimed that it has ceased collecting “unneeded data”, and is in the throes of reviewing its privacy and compliance procedures.

“We take data privacy very seriously, and we are working hard to ensure we have the best possible privacy processes in place to prevent this from happening again,” the statement concluded.

In a further statement to IT Pro, the Department of Health denied the leak had compromised patient privacy.

"No patient's privacy has been infringed and no patient's identity has been disclosed," it stated. "Action is being taken by GE Healthcare to ensure that the data collected is deleted as swiftly as possible and that there is no [recurrence]."

Even so, Nick Pickles, director of privacy campaign group Big Brother Watch, told IT Pro this case would be a major cause of concern for NHS patients.

“The fact this all happened by accident should add further impetus to the need for the ICO to fully investigate the way that cloud services impact on patient privacy," said Pickles.

"There should be an urgent investigation into just how many NHS bodies are sending data to other countries to save a few pennies, potentially putting patient privacy at serious risk."

Meanwhile, a representative from another campaign group, Privacy International, said companies should never over collect data.

"Once data is collected, it will always be vulnerable to exposure by human error or corruption, which is why companies should never collect more information than they actually require," said the representative.

"These risks only increase once data leaves the comparative security of the European Economic Area," they added.