The National Health Service in England learned last week that data it collected on almost 50 million patients is now in the hands of insurers, making it one of the largest data breaches of medical information in history.

The breach has thrown England’s online medical record project into disarray, and should serve as a cautionary tale for the U.S., which is in the midst of a similar initiative.

While the data was “pseudonymised,”  there was enough information in the patient record to enable identification, according to Ben Goldacre writing in the opinion section of England’s The Guardian newspaper.

The NHS Information Centre, which had collected the data for research purposes, sold the information for less than $4,000 in 2012 to the Institute and Faculty of Actuaries, an organization sponsored by health insurance companies. The institute has told the British press that it used the data to help set pricing for insurance policies.

A few months later the Information Centre was dissolved and transformed into a new federal agency, the Health and Social Care Information Centre, which has now said that its predecessor had been wrong to sell the data. “We would like to restate that full postcodes and dates of birth were not supplied as part of this data and that it was not used to analyse individual insurance premiums, but to analyse general variances in critical illness,”a spokesman for the Centre told another London newspaper, The Telegraph.

The data had been collected in the first place to help researchers find ways to improve patient outcomes, and included information related to millions of hospital admissions. The data also had been acquired by a private consulting firm, PA Consulting, which described the dataset as “entire start-to-finish HES [hospital episode statistics] dataset across all three areas of collection – inpatient, outpatient and A&E ['accident and emergency,' the British equivalent of US emergency departments].”

The data breach has resulted in an announced six-month delay of England’s online medical record project.

Next Article: FTC Sues Collection Agencies Over Misleading Names, ...