A data-mapping firm has withdrawn a service which may have allowed access to information on millions of patient records, following the launch of an investigation from health authorities.

The service provided by Earthware, which supplies its clients with data visualisations through the use of its mapping technology, was shut down on Monday following a request from the Health and Social Care Information Centre (HSCIC).

The website offered to provide data visualisations that allow users to locate areas in England where a single individual had gone for specialised treatment, the Guardian writes. The information would not have allowed individuals to be identified, but its use may have contravened data protection rules.

The data is believed to be from the Hospital Episode Statistics (HES), a data warehouse run by the HSCIC which contains millions of records with details of all admissions, outpatient appointments and A&E attendances at NHS hospitals in England. The anonymised data includes patient age, gender, diagnoses and other personal information.

However Earthware said in a statement on Monday that the information made available online was a demo which displayed “mock data” that was supplied by a third party.

“We do not hold nor have we ever held HES data on our servers,” the company said.

The HSCIS announced yesterday that it had demanded the tool be taken offline, pending a further investigation into the source of the data.

“We are investigating urgently the source of the data used by Earthware UK and whether controls demanded of any organisation using data have been maintained," the centre said. "After this investigation we will take any necessary action.”

The move by the HSCIC follows on from concerns over the use of patient data as part of the government’s scheme.

Under the controversial plans, patient’s which do not opt out of the scheme will have certain data made commercially available to organisations such as universities, insurers and drug companies.

The proposals were put on hold last month in order to spend more time reassuring the public over the scheme. 

NHS England has previously admitted that there is a risk of patient data being identified, despite promises that the records will be pseudonymised when extracted from GPs’ systems.

The HSCIS also responded to reports it had allowed marketing consultancy PA Consulting to store patient data on Google servers to produce interactive maps using BigQuery analytics software.

The HSCIS said it signed an agreement to share pseudonymised data with PA Consulting in 2011, and was aware of the use of Google tools. 

It said it had received assurance from PA Consulting that no Google staff would be able to access the data, which the consultancy said was held securely.

PA Consuling said in a statement that it has used the NHS data appropriately since signing the aggreement with HSCIC, with information "held securely in the cloud in accordance with conditions specified and approved by" the health authority.  

Find your next job with computerworld UK jobs