20.10.15
NHS-approved online pharmacy fined for selling off personal data of 20,000 patients
The UK’s largest NHS-approved online pharmacy, Pharmacy2U, has been issued a £130,000 fine by the Information Commissioner’s Officer (ICO) for selling patients’ and customers’ personal data via direct marketers.
Through a marketing company called Alchemy Direct Media Ltd, Pharmacy2U senior executives unlawfully sold the personal data of over 21,000 NHS patients and online customers either directly or through intermediaries, including their names and addresses.
Information was sold to an Australian lottery company (which is subject to investigation by trading standards), a Jersey-based healthcare supplement company previously cautioned for its misleading advertising and unauthorised health claims, and a UK charity that used details to ask for donations for people with learning disabilities.
The investigation also found that the lottery company deliberately targeted elderly and vulnerable individuals, and some customers will likely suffer financially as a result of details being disclosed.
The civil monetary penalty applied is the first of its type and the company was ruled to have breached the first principle of the Data Protection Act regarding fair and lawful processing of data.
ICO deputy commissioner, David Smith, said: “Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that.
“It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.
“Once people’s personal information has been sold on once this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details.”
More than 100,000 customer details had been advertised for sale, with a database including people suffering from ailments such as asthma, Parkinson’s disease and erectile dysfunction. Breakdowns of the data, such as for men over 70 years old, were also available.
Records were advertised for sale for £130 per 1,000 records.
MedConfidential – an organisation originally created as a direct response to the perceived threat posed by changes to the way NHS England and HSCIC planned to extract patients’ medical information from NHS health record systems in England – was responsible for lodging a complaint against the website.
Phil Booth, its coordinator, said: “When medConfidential made a complaint to the ICO on behalf of patients who were being marketed, we had no idea the trade in their data was as murky as this.
“Vulnerable people shouldn’t be exposed to this sort of harm and distress, but what’s doubly appalling is that this was done by the largest NHS-approved online pharmacy in the country, which is part-owned by the company that provides a majority of GPs with their medical record systems.
“The government has to act decisively. Six-figure fines alone won’t stamp out this poisonous trade – not when there’s so much profit to be made. There must be a blanket, statutory ban on all marketing to patients.”
Daniel Lee, the company’s managing director, sincerely apologised for the incident and confirmed that it will no longer sell customer data.
“As a responsible company, we undertook due diligence to check that the organisations intending to use the data were reputable. There was no publicly available information at the time to suggest that the lottery company was suspected of any wrongdoing and we have confirmed with the relevant authorities that they were validly licensed.
“Following this incident, we have changed our privacy policy to highlight that we will no longer sell customer data and have implemented a prior consent model for our own marketing. We have also worked with the Plain English Campaign to make our policies as clear as possible to our customers,” he said.
Health journalist and campaigner Dr Ben Goldacre noted that Pharmacy2U is 20% owned by EMIS, the largest provider of IT systems to GP practices in England.
UPDATE, 21st Oct, 1pm:
Chris Spencer, CEO at EMIS Group, said: “EMIS Group takes the ICO announcement very seriously indeed. The decision by Pharmacy2U to sell data was made without my personal knowledge or authority as a non-executive Pharmacy2U board member, or that of anyone at EMIS Group PLC. The decision to sell data was made by the executive day-to-day management team at Pharmacy2U. It was never discussed by the Pharmacy2U board, nor was that board consulted before the decision was made.
"As the ICO’s report makes clear:
- Pharmacy2U did not deliberately contravene the Data Protection Act; and
- when it made the decision to sell data, Pharmacy2U did not have access to the now available information that could lead it to believe that some of the companies receiving the data could be involved in fraudulent activity.
"As a minority shareholder in Pharmacy2U we were extremely concerned when this issue was originally reported. As a leading provider of clinical software systems, EMIS Group has always maintained the highest standards of patient confidentiality and data security. We note the ICO’s ruling and that Pharmacy2U is committed to taking comprehensive remedial action. This includes confirming that it will no longer sell customer data and moving to a proactive consent model for its own marketing.”