GE Healthcare Admits Sending NHS Patient Data To US

Personal details of 600,000 patients were sent to the US following a mistake made by the NHS’s IT provider, GE Healthcare.

GE Healthcare admitted to TechWeekEurope that the error had occurred after it had obtained more patient data than it had needed, but stressed that there was no need to worry.

Overloaded

“As a result of an internal review, GE Healthcare recently learned that we obtained more patient data from our diagnostic imaging products than we needed to perform services for our customers,” a company spokesman said. “We regularly obtain data to help ensure product reliability and to deliver related services.”

“We immediately undertook an extensive analysis using outside experts, and, based on that analysis, we are confident that this data was not lost, hacked, misused or stolen,” they added. “We have stopped receiving this unneeded data, and we are continuing to review our business processes for data privacy compliance. We take data privacy very seriously, and we are working hard to help ensure we have the best possible privacy processes in place to prevent this from happening again.”

It is reported that the data included ID numbers, initials, gender, height, weight, age and clinical information and that although the problem was discovered last year, the relevant watchdogs were not told until last month. Under the Data Protection Act, details cannot be sent outside the European Union without safeguards put in place.

No action to be taken

The Information Commissioner’s Office (ICO) told TechWeekEurope that GE Healthcare had informed the ICO about an issue they have identified with the equipment used to record bio-data, but had no plans to take any action.

“Our understanding is that the issue was identified by the company and they are currently working to fix the problem,” it said. “As it does not appear that any personal data has been compromised, we do not anticipate taking any further action at this stage. However we will continue to advise GE Healthcare on the obligations they must meet under the Data Protection Act (DPA) and we will take action if necessary.”

The ICO has previously labelled the NHS as the worst offender of data breaches in the UK and has warned that the organisation must do more to prevent such breaches happening again.

However the warnings were evidently not heeded and didn’t stop the Surrey and Sussex Healthcare NHS Trust from losing the confidential records of 800 patients on an unencrypted USB stick in October last year. However the Brighton and Sussex University Hospital Trust said that it would appeal if it was fined £375,000 by the ICO over an alleged breach of the Data Protection Act.

What do you know about Internet security? Find out with our quiz!