DeepMind Data Breach


In 2015, DeepMind Technologies entered a data sharing arrangement with the NHS for patient data. This data was then used illegally, with 1.6 million patients affected by this privacy violation. This page explains how this breach happened. 

The DeepMind Data Breach

The Royal Free NHS Foundation Trust shared the personal data of patients with AI company Google DeepMind. The transfer of data was done to test a new medical app (called Streams). But the use of data by Google DeepMind eroded patient rights and breached the Data Protection Act (DPA).

Patients who attended The Royal Free Hospital, Barnet Hospital or Chase Farm Hospital between 2010- 2016 might have had their data privacy rights breached. In total, 1.6 million people may have been affected.

The ICO's Investigation

According to an investigation by the UK’s data protection watchdog (the ICO), there were several failings in the processing of patient records. The then  Information Commissioner, Elizabeth Denham, said that lessons should be learnt from this case.

Deep concerns over medical data sharing

Many people are happy for their data to be used to improve patient care and make clinical advancements. But laws exist to ensure this is done in a way that does not harm patients. People should also be told how their records will be shared and be asked for their consent.

Despite these laws, there are real worries about how medical data is being used (and might be used in the future). For example, what would happen if an insurance company got hold of your medical data and increased your life insurance premium or refused you cover?

Were you affected by the Google DeepMind data protection failure?

Anyone who attended The Royal Free Hospital, Barnet Hospital or Chase Farm Hospital between 2010- 2016 could have been affected by this data violation.


What personal data was shared with Google DeepMind

Admissions, discharge and transfer data, accident and emergency, pathology and radiology, and critical care data were all passed to Google DeepMind.

This sensitive patient data included details such as whether patients had been diagnosed with HIV, suffered from depression, or had ever undergone an abortion.

This information was not anonymised.

What does the law say?

Any organisation can apply for access to NHS patient data, but there are strict controls on how companies can use this information. For example, personally identifiable patient data (anything that can be used to identify you) can only be shared if there is a health benefit. Personal data must also be processed under the UK’s data protection laws.

Despite this, questions remain about who our medical records are being shared with and why. There are also concerns about what happens to our patient data when it leaves the NHS.

DeepMind Data Protection Breach Timeline

  • 2010
    British artificial intelligence (AI) company DeepMind Technologies is founded.
  • 2014
    Google buys DeepMind for $500 million. As part of this deal, Google agrees to set up an ethics and safety board to ensure that AI technology is not abused. Questions are subsequently raised after DeepMind refuses to say who is on the board, or even confirm whether it has officially met.
  • 2010-2016
    The Royal Free NHS Foundation Trust shares the personal data of patients with Google DeepMind to test an alerting system for acute kidney injury.
  • 2018
    DeepMind announces that its health division and the Streams app will be absorbed into Google Health.