NHS hospitals have used the credit-checking company Experian to vet their patients to find ‘income opportunities’ in those from overseas, an investigation has revealed.
Health bosses encouraged dozens of hospitals across England to use the service but the company has denied there are plans for them to do so.
A hospital trust in central London has been using the company for more than three years, according to the Health Service Journal.
People who don’t live in the UK have to pay for NHS treatment and, officials said, the Experian checks were just a detailed way of confirming people’s status.
But there are concerns they may have broke data protection laws and patients didn’t know their information was being shared with a private financial company.
One campaigner claimed the NHS didn’t even know whether what it was doing was legal.
The Lewisham and Greenwich NHS Trust in London (pictured: University Hospital Lewisham) already uses Experian to check whether its patients are genuine UK residents and NHS bosses said more hospitals should do it
‘People who go to the NHS do not expect their data to be handed over to a credit finance agency,’ a spokesperson for Med Confidential, Phil Booth, told the HSJ.
‘It is extraordinary that a national body, not having even determined the legality of what they are doing, appear to be doing everything they can through this carefully designed process to wash their hands of any consequences and put them on to any trust foolish enough to join this pilot.’
Experian is a private consumer company worth about £24billion, which is best known for carrying out credit checks.
HOW MUCH DO OVERSEAS PATIENTS PAY FOR NHS CARE?
While people who live in the UK get almost all NHS treatment for free, people from abroad have to pay.
How much they pay depends on where they come from and what they’re doing in the UK.
People from outside the European Economic Area pay 50 per cent more than those inside it, and Europeans who have accidents while on holiday may be covered by the European Health Insurance Card (EHIC) scheme.
These are some example costs of NHS treatment for patients needing emergency in-patient hospital treatment:
- General surgery £4,314 (£6,471 non-EEA)
- Trauma surgery £5,018 (£7,527)
- Heart (cardiac) surgery £11,396 (£17,094)
- A&E visit £1,484 (£2,226)
- Spinal injury £18,569 (£27,853)
- Stroke medicine £7,146 (£10,718)
- Medical cancer care; chemotherapy £4,890 (£7,334)
- Children’s dentistry £939 (£1,409)
- Children’s surgery £4,322 (£6,482)
- Baby delivery £3,024.50 (£4,536.75)
Source and full list of costs and procedures: NHS Improvement
For these it roots through financial information to see whether people pay their bills on time, how long they’ve had bank accounts for, how much credit card debt they have, and what sort of loans, mortgages or car finance they have taken out.
The HSJ investigation found the NHS was passing on patients’ names, addresses, dates of birth and NHS numbers to the firm to check where they were from.
And bosses at NHS England and NHS Improvement reportedly sent emails to 51 hospital trusts around the country suggesting they start using the company.
They said it presented an ‘income opportunity’ for the hospitals.
Several trusts were working on putting the checks in place, an insider at Experian said, but Lewisham and Greenwich NHS Trust was the only one to use it regularly.
Doing so helped it send out invoices for £4.2million to overseas patients in 2017-18, with about a quarter of that money now paid off.
The trust, which runs hospitals in south-east London, has been blighted by debts racked up by ‘health tourists’ who come to England to use the NHS then leave again.
Figures revealed yesterday by the Mail on Sunday showed its maternity unit alone is currently owed £1.2million from mothers from overseas.
It has only managed to recoup £30,000 of these costs and staff at the unit have spoken out against the decision to charge foreign mothers for their care.
NHS Improvement said it had not done its own checks into how the system aligns with data protection rules but said no clinical information needed to be shared.
In an internal email sent in January, NHSI officials said it was: ‘Running checks on historical data (2017-18) to confirm residency by matching an individual to an address using a patient’s digital footprint and then analysing credit bureaus for other aspects which could ‘disprove’ residency against economic activity, potentially helping us identify ex-pats and other health tourists.’
The email added: ‘Experian is already being used by a major acute trust to provide residency checks, so a data sharing and processing agreement is already available…
‘The information required would be name, address, DOB, preferably an NHS number or other identifier, email address and telephone number.
‘Clinical or other sensitive information is not required.’
WHAT ARE DATA PROTECTION RULES?
The European Union’s General Data Protection Regulation (GDPR) is a law that came into force on May 25, 2018.
It offers stronger data protection for all people in the European Union (EU).
This means cracking down on how companies use and sell the data they collect on their users.
The law marked the biggest overhaul of personal data privacy rules since the birth of the internet.
Under GDPR, companies are required to report data breaches within 72 hours, as well as to allow customers to export their data and delete it.
Part of GDPR is the right for people to know ahead of time whether their personal data is being collected and used, and for the company holding the data to be transparent about exactly what it’s doing with personal information.
The company holding the data must also make it freely available to the person it concerns.
Under the right to be forgotten, also known as Data Erasure, people are entitled to have the company erase their personal data, stop sending it to other parties, and potentially prevent third parties from using it, too.
This means people can withdraw their consent for information about them to be used, even after they’ve handed it over.
This right requires companies to balance the person’s rights with the ‘public interest in the availability of the data’ when considering such requests.
MailOnline has contacted Experian, NHS England and the Lewisham and Greenwich NHS Trust for comment.
The NHS Trust told HSJ: ‘We do have a notice on our website about sharing some information with non-NHS organisations.
‘It is important to stress that Experian do not carry out a credit check, but look at many sources to see whether patients are economically active in the UK.
‘This is one of several indicators to help check that patients are UK residents and eligible for care which is free at the point of access, in a non-discriminatory way.’
And Experian told the medical news site: ‘Experian currently works with one NHS trust to help them verify the identity of patients.
‘The trust submits lists of patient details in order for us to cross reference and check whether they are residents in the UK, and therefore eligible for services. This process is similar to most standard residency checking services.’