Exploitation of sensitive personal medical data by commercial entities

By Thomas Vink, 2nd September 2022

medConfidential is examining possible legal action in relation to the unlawful processing of patients’ medical data by Sensyne Health plc, a private company, which has data sharing agreements with several NHS Hospital Trusts.

medConfidential has gathered evidence indicating that personal data is being transferred from the NHS to Sensyne without patients’ knowledge or consent, thereby placing the confidentiality and privacy rights of over 12 million NHS patients at risk. The company and Trusts claim that the data transferred is anonymous and therefore not covered by GDPR –medConfidential has evidence that at least some of the data is merely pseudonymised. This means it is still personal data under the law and in practice, and that it exposes patients to privacy risks and potential data protection infringements.

Between 2021 and 2022, medConfidential received legal advice from Bindmans LLP on the potential remedy or remedies to seek in proceedings, the best choice of claimants, and the viability of and evidence required to pursue a legal claim on this issue.

In April 2022, Sensyne confirmed it needed to refinance and that it would delist from the AIM stock exchange. medConfidential sent a letter to all relevant NHS Trusts, advising them to terminate their contracts, and to ensure that Sensyne deletes all of the patient data that it has already received from them.

Exploitation of sensitive personal medical data by commercial entities

Organisation Name

medConfidential

Country/Jurisdiction

United Kingdom

Amount Granted

EUR 12,000

Current Status

Research complete

Grant type

Pre-litigation Research Support

Description

medConfidential is examining possible legal action in relation to the unlawful processing of patients’ medical data by Sensyne Health plc, a private company, which has data sharing agreements with several NHS Hospital Trusts.

medConfidential has gathered evidence indicating that personal data is being transferred from the NHS to Sensyne without patients’ knowledge or consent, thereby placing the confidentiality and privacy rights of over 12 million NHS patients at risk. The company and Trusts claim that the data transferred is anonymous and therefore not covered by GDPR –medConfidential has evidence that at least some of the data is merely pseudonymised. This means it is still personal data under the law and in practice, and that it exposes patients to privacy risks and potential data protection infringements.

Between 2021 and 2022, medConfidential received legal advice from Bindmans LLP on the potential remedy or remedies to seek in proceedings, the best choice of claimants, and the viability of and evidence required to pursue a legal claim on this issue.

In April 2022, Sensyne confirmed it needed to refinance and that it would delist from the AIM stock exchange. medConfidential sent a letter to all relevant NHS Trusts, advising them to terminate their contracts, and to ensure that Sensyne deletes all of the patient data that it has already received from them.

"medConfidential has gathered evidence indicating that personal data is being transferred from the NHS to Sensyne without patients’ knowledge or consent, thereby placing the confidentiality and privacy rights of over 12 million NHS patients at risk"

Strategic Goal

To prevent the exploitation of sensitive personal data by commercial entities without robust safeguards for medical confidentiality and the privacy of individual patients.

Organisation Name

Women’s Link Worldwide

Image credit: Irwan iwe on Unsplash