That's a big worry. What we do know, for sure, is that it at least
might end up in the wrong hands. It also wouldn't be the first time data has been left in a cab, on a train, stuck into an envelope and posted, never to be seen again, and so on. That leads me to a question and a conclusion.
The conclusion is that they can't lose what they don't have. The question is whether it was
really lost in the post, or sold and that used as a convenient cover? Either way, they can't either lose or sell it if they don't have it.
But as I understand the arrangements, those with a suitable 'reason' can request data, which will be supplied in anonymised or pseudu-anonymised form whch is at least potentially un-anonymisable and, yeah, they can't unanonymise it if they don't have it.
Once it's gone, once it's been sucked, we have lost all ability to then think "Errr, y'know what, I'd rather not risk it".
One more question pops into my mind .... how many of us
know, as in have checked, what our medical records say? Not what they
should say, but what they do say? And is it both complete and accurate? After all, even doctors are human, and as we know, to err is human (and to really screw up takes a computer).