latest health care news


NHS-approved online pharmacy fined for selling off personal data of 20,000 patients

The UK’s largest NHS-approved online pharmacy, Pharmacy2U, has been issued a £130,000 fine by the Information Commissioner’s Officer (ICO) for selling patients’ and customers’ personal data via direct marketers.

Through a marketing company called Alchemy Direct Media Ltd, Pharmacy2U senior executives unlawfully sold the personal data of over 21,000 NHS patients and online customers either directly or through intermediaries, including their names and addresses.

Information was sold to an Australian lottery company (which is subject to investigation by trading standards), a Jersey-based healthcare supplement company previously cautioned for its misleading advertising and unauthorised health claims, and a UK charity that used details to ask for donations for people with learning disabilities.

The investigation also found that the lottery company deliberately targeted elderly and vulnerable individuals, and some customers will likely suffer financially as a result of details being disclosed.

The civil monetary penalty applied is the first of its type and the company was ruled to have breached the first principle of the Data Protection Act regarding fair and lawful processing of data.

ICO deputy commissioner, David Smith, said: “Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that.

“It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.

“Once people’s personal information has been sold on once this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details.”

More than 100,000 customer details had been advertised for sale, with a database including people suffering from ailments such as asthma, Parkinson’s disease and erectile dysfunction. Breakdowns of the data, such as for men over 70 years old, were also available.

Records were advertised for sale for £130 per 1,000 records.

MedConfidential – an organisation originally created as a direct response to the perceived threat posed by changes to the way NHS England and HSCIC planned to extract patients’ medical information from NHS health record systems in England – was responsible for lodging a complaint against the website.

Phil Booth, its coordinator, said: “When medConfidential made a complaint to the ICO on behalf of patients who were being marketed, we had no idea the trade in their data was as murky as this.

“Vulnerable people shouldn’t be exposed to this sort of harm and distress, but what’s doubly appalling is that this was done by the largest NHS-approved online pharmacy in the country, which is part-owned by the company that provides a majority of GPs with their medical record systems.

“The government has to act decisively. Six-figure fines alone won’t stamp out this poisonous trade – not when there’s so much profit to be made. There must be a blanket, statutory ban on all marketing to patients.”

Daniel Lee, the company’s managing director, sincerely apologised for the incident and confirmed that it will no longer sell customer data.

“As a responsible company, we undertook due diligence to check that the organisations intending to use the data were reputable. There was no publicly available information at the time to suggest that the lottery company was suspected of any wrongdoing and we have confirmed with the relevant authorities that they were validly licensed.

“Following this incident, we have changed our privacy policy to highlight that we will no longer sell customer data and have implemented a prior consent model for our own marketing. We have also worked with the Plain English Campaign to make our policies as clear as possible to our customers,” he said.

Health journalist and campaigner Dr Ben Goldacre noted that Pharmacy2U is 20% owned by EMIS, the largest provider of IT systems to GP practices in England.

UPDATE, 21st Oct, 1pm:

Chris Spencer, CEO at EMIS Group, said: “EMIS Group takes the ICO announcement very seriously indeed. The decision by Pharmacy2U to sell data was made without my personal knowledge or authority as a non-executive Pharmacy2U board member, or that of anyone at EMIS Group PLC. The decision to sell data was made by the executive day-to-day management team at Pharmacy2U. It was never discussed by the Pharmacy2U board, nor was that board consulted before the decision was made.

"As the ICO’s report makes clear:

  • Pharmacy2U did not deliberately contravene the Data Protection Act; and
  • when it made the decision to sell data, Pharmacy2U did not have access to the now available information that could lead it to believe that some of the companies receiving the data could be involved in fraudulent activity.

"As a minority shareholder in Pharmacy2U we were extremely concerned when this issue was originally reported. As a leading provider of clinical software systems, EMIS Group has always maintained the highest standards of patient confidentiality and data security. We note the ICO’s ruling and that Pharmacy2U is committed to taking comprehensive remedial action. This includes confirming that it will no longer sell customer data and moving to a proactive consent model for its own marketing.”


Carl T Boylin   04/11/2015 at 12:08

I've worked at Pharmacy2u both building and IT security where dismal, patients were discussed openly by staff and to be honest it was a horrible place to work glad I'm not there any longer but feel sorry for some of those that still are.

Add your comment


national health executive tv

more videos >

featured articles

View all News

last word

The Refugee Doctor Initiative

The Refugee Doctor Initiative

Terry John, co-chair of the BMA & BDA Refugee Doctors and Dentists Liaison Group and chair of the union’s international committee, talks about a brilliant initiative that is proving mutual more > more last word articles >

health service focus

View all News


Strategic investment planning

13/12/2017Strategic investment planning

Paul Turton, head of solutions development at NHS Supply Chain, looks at ho... more >
A fight worth fighting

13/12/2017A fight worth fighting

Professor Wendy Burn, president of the Royal College of Psychiatrists (RCPs... more >


Cutting through the fake news

22/11/2017Cutting through the fake news

In an era of so-called ‘fake news’ growing alongside a renewed ... more >
681 149x260 NHE Subscribe button

the scalpel's daily blog

Ten lessons to support new care models locally

29/11/2017Ten lessons to support new care models locally

Anna Starling, policy fellow at the Health Foundation, offers the top 10 lessons for local leaders seeking to make systematic improvements across services, all based on first-... more >
read more blog posts from 'the scalpel' >

healthcare events

events calendar


December 2017

mon tue wed thu fri sat sun
27 28 29 30 1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
1 2 3 4 5 6 7

editor's comment

25/09/2017A hotbed of innovation

This edition of NHE comes hot on the heels of this year’s NHS Expo which, once again, proved to be a huge success at Manchester Central. A number of announcements were made during the event, with the health secretary naming the second wave of NHS digital pioneers, or ‘fast followers’, which follow the initial global digital exemplars who were revealed at the same show 12 months earlier.  Jeremy Hunt also stated that by the end of 2018 – the 70th birthday... read more >