back to article NHS slaps private firm Health IQ for moving Brits' data offshore

Health insurance and financial data management biz Health IQ is the latest outfit to have its wrists slapped by NHS Digital in the UK for failing to comply with data processing rules. A technical audit of Health IQ concluded the company had breached its Data Sharing Agreement with the NHS "by holding and processing data …

  1. Vimes

    Why are they allowed to continue to provide services to the NHS at all?

    1. Only me!
      Pint

      Change Control

      Now I both love and hate change control and always push for "risk balance", I deal with small software houses, but they delver critical bespoke stuff. So it is just impossible to enforce enterprise governance.....but even me pushing the limits always asks wheres the data and what are you doing with it!? I then ask for a nice picture to show me.

      So if this happens what the F$^% is going on?

      End contact, sack the people involved in procuring the contract.

      Lessons learned:

      Understand what the heck you are asking for in the first place!

      Go for a beer, it's a Bank Holiday weekend here :-)

    2. BillG Silver badge
      Devil

      Phil Booth, coordinator of pressure group medConfidential, questioned why private companies are continue to break the rules around data sharing... "We get told that there are rules in place to protect the privacy of patients. But yet again they've been ignored without penalty."

      Because no one has been subject to a serious penalty for breaking the rules. Hit them with a fine of a few million £. Until then, private companies will have the attitude of "we'll host offshore and save money until someone tells us not to. Then we'll pretend to obey the rules until we do it again".

    3. John Smith 19 Gold badge
      Unhappy

      "Why are they allowed to continue to provide services to the NHS at all?"

      That's the really effective penalty, along with deleting all copies held of the data, so you can't go on data mining the old data set.

      If the NHS did that to a company or two the attitude of the rest would change fairly quickly.

  2. Anonymous Coward
    Anonymous Coward

    BASTARDS

    why is it so vital that our medical histories have to be held on American servers? Is it that important that the FUCKNAUTS at the NSA have to know about the fungal infection i had on my bell end?

    1. Anonymous Coward
      Anonymous Coward

      Re: BASTARDS

      it that important that the FUCKNAUTS at the NSA have to know about the fungal infection i had on my bell end?

      Yes, it allow them to make a blackmail profile of you for possible future use.

      1. DocJames
        IT Angle

        Re: BASTARDS

        it that important that the FUCKNAUTS at the NSA have to know about the fungal infection i had on my bell end?

        Yes, it allow(sic) them to make a blackmail profile of you for possible future use.

        Fungal infections on bell ends are not related to hanky panky. They may be due to lack of cleaning (more colonisation than infection IMH (but professional) O), corticosteroids, poorly controlled diabetes mellitus, HIV or recent antibiotics, but I don't think any of these things are blackmailable really (except HIV, and even that isn't for most people living with it now). This is just another example of data fetishisation (which should definitely be blackmail material), aka "I'm having trouble finding the needle, so I added 31 more haystacks to make it easier"

    2. Anonymous Coward
      Anonymous Coward

      Re: BASTARDS

      "the fungal infection i had on my bell end"

      Nobody wanted to know that. Anyway, have a nice weekend....

  3. frank ly Silver badge

    "... the errors are often basic and avoidable."

    They are not errors. It's deliberate, probably to save money, and they know there will be no penalty if they get detected. You can't trust anybody with data. They wouldn't store it for you unless they thought they could make a profit in some way and then the profit becomes the driving and only consideration.

    1. Hollerithevo Silver badge

      Re: "... the errors are often basic and avoidable."

      Agree. I figue the goal was to extract data. Even a fine would be less than what you can do with the treasure you've pulled off to friendlier clouds.

    2. werdsmith Silver badge

      Re: "... the errors are often basic and avoidable."

      I know this one. When working with NHS data in our own UK secure data centre, we cannot let our outsourced overseas developers near it. The developers are always complaining about it, but may only work with dummy data, and cannot get involved in support of the system where the real data lives.

      But you just adapt and learn to work that way and it's fine. There's no excuse for taking liberties.

  4. Anonymous Coward
    Anonymous Coward

    "This helps to ensure that ... data is kept safe and secure"

    So what they're saying is: if it's stored in a cloud hosting provider in the UK, it's safe; if it's stored in a cloud hosting provider outside the UK, it isn't.

    Except there is this thing called "The Internet" which connects all the clouds together.

    1. TitterYeNot

      Re: "This helps to ensure that ... data is kept safe and secure"

      "So what they're saying is: if it's stored in a cloud hosting provider in the UK, it's safe; if it's stored in a cloud hosting provider outside the UK, it isn't.

      Except there is this thing called "The Internet" which connects all the clouds together."

      Having briefly scanned the audit report, I don't think that's quite what the auditors are saying. I can't see any reference to data being stored in a non-UK datacentre, but I do see a reference to aggregated data in the London data centre being available 'online' i.e. presumably internet facing, and so available to users in other countries (that's probably why the London data centre is no longer used.)

      This is most likely what the main point of the story is - servers storing NHS data should never be accessible via the internet, only via internal LAN / WAN (with WAN connections encrypted over point-to-point VPN.)

      The only other failings I can see in the report are the usual suspects - logins shared between 2 admins, unlocked unattended laptops, poor audit trail for information governance training etc. etc.

      1. Steve 114

        Re: "This helps to ensure that ... data is kept safe and secure"

        Huge thanks for actually reading the report. This stuff is genuinely difficult, and well-meaning 'committees' have, to my personal knowledge, floundered for 15 years+ in trying to make constructive and responsible use of anonymised health data, in a way that any other industry (aviation?) would have (equally defectively?) cracked years ago.

        1. Adrian Midgley 1

          They would not have cracked it because

          it is impossible.

          If you don't collect the data together, but instead send the queries out, you might make some use of it, but that doesn't satisfy the centralists.

    2. Blane Bramble

      Re: "This helps to ensure that ... data is kept safe and secure"

      So what they're saying is: if it's stored in a cloud hosting provider in the UK, it's safe; if it's stored in a cloud hosting provider outside the UK, it isn't.

      Except there is this thing called "The Internet" which connects all the clouds together.

      No, what they are saying is that whilst it is stored in a cloud hosting provider in the UK it is subject to, and protected by UK law.

      Whilst it is hosted outside the UK it is subject to, and protected by the laws of that country.

  5. Anonymous Coward
    Anonymous Coward

    Why has this company got access to NHS data anyway?

    From their website,

    "The data we use is non-identifiable and non-sensitive, and we never give direct access to raw data, rather we provide insight, build tools and aggregate data."

    "Real World Data Collector is powered by Health iQ who are leaders in real world data with an outstanding NHS informatics and health intelligence heritage. We work with many of the biggest names in life sciences providing market-leading insight and are pioneers in Simulation Modeling and Prospective Data Collection for Market Access and digital informatics."

    Why make it anonymous? Market Access?

    Did someone claim care.data was dead?

    1. Warm Braw Silver badge

      Health iQ ... are leaders in real world data with an outstanding NHS informatics and health intelligence heritage

      They seem to have been a very unremarkable small company operating out of serviced office premises in Whitechapel until the end of their accounting period in 31st Jan 2014. Then suddenly it seems they acquired substantial debt and a compensating sizeable chunk of "intangible assets", apparently in the form of a patent license of some kind, so it looks like they have some ambitious plans for the data they hold.

      The "offshore" bit is perhaps the least concern - they're using servers based in Ireland. More worryingly, they were sharing passwords to the NHS Secure Electronic File Transfer system from which they obtain the NHS data. They are currently not in receipt of NHS data until the audit issues are addressed, but the audit suggests they only conduct a penetration test of their new system (presumably after relocating from Ireland) "once Health IQ has received a full data set": I would have thought one would conduct the penetration test (to the extent they're useful) before loading the system with live health data. Also, their staff were leaving the office leaving their laptops unlocked with access, presumably, to the raw NHS data. The audit also says that the contracts with Health IQ customers - sub-licences for the NHS data - were undated and used scanned signatures.

      Having said all that, I suspect a snap audit of a hospital would find a great deal worse...

  6. John McCallum
    Devil

    So, they got slapped on the wrist ? was this also a size 13 to the nuts as well, we live in hope.

  7. Chris G Silver badge

    So how about deleting the back ups

    The data held offshore would presumably be backed up, posssibly at more than one other site, were the back ups assuredly deleted or are they still out there?

    I' m guessing the potential profits from breaking the rules are greater than the losses from a slapped wrist.

    For the most part once data is out there it stays out there, I'm too cynical to think that anything moved incorrectly or ilegally will not be copied before being 'deleted' if it is valuable.

  8. Tubz

    No big fine by the ICO, can pay for a few operations, or some big wig politician on the board of directors ???

    1. John 110

      @Tubz

      "or some big wig politician on the board of directors ???"

      ALL the big-wig politicians have heavy investments in private healthcare, that's why they want to shaft the NHS

  9. James 47

    Why do charities need access to medical data?

    1. Doctor Syntax Silver badge

      "Why do charities need access to medical data?"

      They're probably charities such as http://www.cruk.manchester.ac.uk/

      I think it's reasonable that they may require medical data.

      But as for data processing firms who can't be bothered to comply with the T&Cs under which they have access, it should be end of contract for good. Once one or two discover the hard way that the T&Cs aren't just collections of black marks on paper or screens the rest will get the message.

  10. LindaJoyAdams

    An international cabal has gabbed hold of the official records of governments and individuals held in trust by governments. USA lost control in the COUP OF 2002 when Congress defunded any real internal audit controls, criminal investigations and SEC also as contracting out became the norm and an international maze of shell companies and illegal secret del partnerships took control . as governments contracted out systems work rather than hiring in house civil servant programmers and paying them a larger salary as they once did. Off shoring expected to be completed as soon as he Trans Pacific Asia Partnership treaty is passed by all nation. ONE PERSON ON ONE SERVER WILL SOON BE ABLE TOCONTROL EVERY PERSON , ENTITY AND NATION IN THE WORLD AND DO IT IN A PLACE NO GOVERNMENT CAN ARREST.ONE NOT STOP IT :Absolute power corrupts absolutely and should never be done. THIS IS NOT A WORLD GOVERNMENT BY A one world beast system that answers to not human government .

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019