The UK’s largest NHS-approved online pharmacy, Pharmacy2U, has been issued a £130,000 fine by the Information Commissioner’s Officer (ICO) for selling patients’ and customers’ personal data via direct marketers.
Through a marketing company called Alchemy Direct Media Ltd, Pharmacy2U senior executives unlawfully sold the personal data of over 21,000 NHS patients and online customers either directly or through intermediaries, including their names and addresses.
Information was sold to an Australian lottery company (which is subject to investigation by trading standards), a Jersey-based healthcare supplement company previously cautioned for its misleading advertising and unauthorised health claims, and a UK charity that used details to ask for donations for people with learning disabilities.
The investigation also found that the lottery company deliberately targeted elderly and vulnerable individuals, and some customers will likely suffer financially as a result of details being disclosed.
The civil monetary penalty applied is the first of its type and the company was ruled to have breached the first principle of the Data Protection Act regarding fair and lawful processing of data.
ICO deputy commissioner, David Smith, said: “Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that.
“It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.
“Once people’s personal information has been sold on once this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details.”
More than 100,000 customer details had been advertised for sale, with a database including people suffering from ailments such as asthma, Parkinson’s disease and erectile dysfunction. Breakdowns of the data, such as for men over 70 years old, were also available.
Records were advertised for sale for £130 per 1,000 records.
MedConfidential – an organisation originally created as a direct response to the perceived threat posed by changes to the way NHS England and HSCIC planned to extract patients’ medical information from NHS health record systems in England – was responsible for lodging a complaint against the website.
Phil Booth, its coordinator, said: “When medConfidential made a complaint to the ICO on behalf of patients who were being marketed, we had no idea the trade in their data was as murky as this.
“Vulnerable people shouldn’t be exposed to this sort of harm and distress, but what’s doubly appalling is that this was done by the largest NHS-approved online pharmacy in the country, which is part-owned by the company that provides a majority of GPs with their medical record systems.
“The government has to act decisively. Six-figure fines alone won’t stamp out this poisonous trade – not when there’s so much profit to be made. There must be a blanket, statutory ban on all marketing to patients.”
Daniel Lee, the company’s managing director, sincerely apologised for the incident and confirmed that it will no longer sell customer data.
“As a responsible company, we undertook due diligence to check that the organisations intending to use the data were reputable. There was no publicly available information at the time to suggest that the lottery company was suspected of any wrongdoing and we have confirmed with the relevant authorities that they were validly licensed.
Health journalist and campaigner Dr Ben Goldacre noted that Pharmacy2U is 20% owned by EMIS, the largest provider of IT systems to GP practices in England.