Except that we're now in the post-Snowden era, and companies like Google have taken measures to harden their networks against (among other things) GCHQ-esque intrusion.
In contrast, the other party in this story---the NHS---apparently hands out sensitive medical data on physical DVDs. I suppose on the plus side one doesn't need to worry about GCHQ being interested in illicitly acquiring that data, as if they have a relevant interest in it they can just ask their neighboring government agency.
While this was clearly an inappropriate act on the part of the contractor, it's not inappropriate for moving the data to a less secure medium or less credible institution than the origin.
In contrast, the other party in this story---the NHS---apparently hands out sensitive medical data on physical DVDs. I suppose on the plus side one doesn't need to worry about GCHQ being interested in illicitly acquiring that data, as if they have a relevant interest in it they can just ask their neighboring government agency.
While this was clearly an inappropriate act on the part of the contractor, it's not inappropriate for moving the data to a less secure medium or less credible institution than the origin.