The NHS has shared hospital data with more than 40 companies

doctor using a computer

According to an article in the Financial Times, the NHS has shared a wealth of data with several companies. Any organisation can apply for access to NHS patient data, but while some use it for planning and research purposes (e.g. local governments, public bodies, and universities), the Financial Times has discovered that it was also shared with 43 commercial businesses.

Organisations who have received this data include the world’s largest management consultancy, pharmaceutical groups (including AstraZeneca) and data companies. The Financial Times claims that years of detailed medical records from UK hospitals has been shared.

The type of data passed to organisations includes:

  • hospital episode statistics (HES)
  • a database listing all hospitalised patients
  • diagnoses, treatments, and outpatient appointments
  • data about emergency care, mental health, mortality, cancer waiting time, sexual health, and childbirth services.

The world’s largest data breach

According to the report, sensitive patient data was also shared with marketing firm Experian. This is especially worrying as, in October 2020, the ICO ordered Experian to change the way it handles personal data in direct marketing services. The command followed a two-year investigation by the ICO into how Experian, Equifax and TransUnion use personal data for marketing purposes.

The ICO’s investigation discovered that Experian, Equifax and TransUnion were found “trading, enriching and enhancing people’s personal data without their knowledge”. This is a breach of data protection law.

The ICO also said that “the data of almost every adult in the UK was, in some way, screened, traded, profiled, enriched, or enhanced to provide direct marketing services.[1]” So this could be the most significant data protection violation in history.

Find out more about this breach

Further pans to pool NHS data

Government plans to pool and share the NHS data of 55 million patients have recently raised concerns. Not least because, rather than opting into the scheme, people in England have until September 1 to opt-out. And, if they do not, it will not be possible to remove their information from the new database. 

The General Practice Data for Planning and Research (GPDPR) – not to be confused with the GDPR – aims to advance the understanding of medical issues. However, with a wealth of data on physical, mental, and sexual health, sex, ethnicity and sexual orientation, critics of the scheme have described it as a data grab.

The recent revelations by the Financial Times raise further concerns about what happens to our patient data and a general lack of transparency about how it is already being used and shared.


In March 2024, our firm changed its name to KP Law. 

Share this article: