Opposition to care.data grows as NHS suffers two million "serious data breaches" since 2011

Leaked documents indicate known risk to centralisation and sale of patient records

The new, centralised NHS patient records database could be vulnerable to hackers and used to identify patients, according to the Privacy Impact Assessment from NHS England.

Furthermore, the organisation tacitly admits that public confidence in the NHS could be damaged and that it could encourage patients to withhold critical information from their doctors out of fear that it is no longer confidential.

The extraction of information from GPs' surgeries will begin in March and, although patients can sign forms to opt out of the process, it is unclear exactly how far this opt out extends.

NHS England is supposed to be leafleting households across England to inform them of the plan - a concession that it only agreed to after the intervention of the Information Commissioner. However, in a poll, only 29 per cent of respondents claim that they have received any leaflets about care.data.

The intention of care.data is to channel "anonymised" patient records data to pharmaceutical companies, health researchers and private companies - if they can demonstrate some form of healthcare benefit.

The Health and Social Care Information Centre (HSCIC), the quango responsible for implementing the project, has been keen to reassure campaigners, MPs and the public at large that the information will be adequately anonymised or "pseudonymised" so that people's identities will not be revealed. Campaigners, however, have not been convinced.

The documents, published in The Daily Telegraph, indicate that NHS England is aware of the shortcomings of its proposed anonymisation of patient data prior to its sale. However, it claims that de-anonymising the data would be unlawful.

Its risk assessment states: "While there is a privacy risk that the analysts granted access to these pseudonymised flows could potentially re-identify patients maliciously by combining the pseudonymised data with other available datasets (a technique known as a jigsaw attack), such an attack would be illegal and would be subject to sanction by the Information Commissioner's Office."

Further risks identified in the documents include attack by hackers - either against the dataset held by the HSCIC in care.data, or on the data sold to third parties.

The leak follows the news that more than two million "serious data breaches" of NHS patient records have been reported since the start of 2011.

The 2,152,560 losses recorded by the Information Commissioner include records held on unwiped PCs that have been sold second-hand, staff sending sensitive information to the wrong locations, and even posting such information on websites.