Advertising company given access to 1.6 million NHS patient records

Google’s DeepMind to scour data to determine those at risk of developing acute kidney injuries.

Advertising company given access to 1.6 million NHS patient records

The New Scientist has obtained a document revealing that an advertising company has been given access to some 1.6 million UK National Health Service patient records.

The name of the advertising company? You may have heard of it. It’s Google.

Well, strictly speaking it’s a Google-owned AI firm called DeepMind, and the agreement apparently states that the Google cannot use any of the data in other parts of its business.

Sign up to our free newsletter.
Security news, advice, and tips.

But as the New Scientist explains the medical data collected will extend far beyond those with kidney conditions:

The document – a data-sharing agreement between Google-owned artificial intelligence company DeepMind and the Royal Free NHS Trust – gives the clearest picture yet of what the company is doing and what sensitive data it now has access to.

The agreement gives DeepMind access to a wide range of healthcare data on the 1.6 million patients who pass through three London hospitals run by the Royal Free NHS Trust – Barnet, Chase Farm and the Royal Free – each year. This will include information about people who are HIV-positive, for instance, as well as details of drug overdoses and abortions. The agreement also includes access to patient data from the last five years.

One hopes that Google will respect patients’ privacy, and not attempt to misuse the information. You may also want to cross your fingers that the systems are properly secured – as even leading technology companies like Google have been compromised by state-sponsored hackers with the intent of spying.


It seems that the data itself will not be stored in DeepMind’s offices but with a separate UK company contracted by Google. DeepMind is apparently obliged to delete its copy of the data when its agreement with the NHS Trust expires at the end of September 2017.

There’s no doubt in my mind that Google is one of the better data-crunchers out there, and they probably could do some extraordinary work in analysing vast amounts of medical records in an attempt to provide better treatment for those who need it.

But I’m also all too aware that they are primarily an advertising company – eager to gather as much personal information about people’s lives, habits, relationships and health because of the huge opportunities for monetisation.

There is a real need to tread carefully here.

If you don’t like the idea of Google and other non-NHS organisations rifling through your medical records, the answer is to opt-out according to BBC News.

Opting out. That’s always the route offered by cowardly internet companies who want to grab your data, and are worried that Joe Public won’t see the benefit of opting in.

Wouldn’t it be a breath of fresh air to see an internet company ask people to actually opt-in to have their data shared more broadly, just once?

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “Advertising company given access to 1.6 million NHS patient records”

  1. Monica Dumone

    given what happened with Google Maps being outed for storing data of open wifi connections they better have some real fail safes in operation.

  2. graphicequaliser

    "It seems that the data itself will not be stored in DeepMind's offices but with a separate UK company contracted by Google."

    That statement worries me, because, if the UK company's security is not up to scratch, then it will be hacked – extremely valuable data attracts the most ardent and capable hackers. Google has a lot more ability to secure itself than a small, "unheard of" UK company. That data is going to be leaked!

  3. Keith Appleyard

    Whilst the contract insists that personally identifiable information, such as Name, Address, Post Code, NHS number, Data of Birth, Telephone number, e-mail address, must be encrypted whilst in transit to Google, it does not explicitly prohibit that data being held unencrypted at the non-NHS location. Moreover, it is usual for such personal data to be pseudonymised, so to mask the true identity of the patient. However, in this contract it explicitly states on page 5 : “as this data is being held for direct patient care purposes, pseudonymisation is not required”. Therefore there is some risk that personal data could be accessed at the non-NHS location. If the researchers are not intending contacting the patients themselves, why can’t they just use the NHS number plus say Gender and Data of Birth and Postal Region, given that sharing of Name, Address, Telephone number & e-mail address could be considered excessive (and thus in breach of Data Protection Principle No.3)?

  4. Starrxxfoxx

    Thank goodness we have HIPPA laws here in the USA protecting our private medical information.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.