latest health care news


NHS-approved online pharmacy fined for selling off personal data of 20,000 patients

The UK’s largest NHS-approved online pharmacy, Pharmacy2U, has been issued a £130,000 fine by the Information Commissioner’s Officer (ICO) for selling patients’ and customers’ personal data via direct marketers.

Through a marketing company called Alchemy Direct Media Ltd, Pharmacy2U senior executives unlawfully sold the personal data of over 21,000 NHS patients and online customers either directly or through intermediaries, including their names and addresses.

Information was sold to an Australian lottery company (which is subject to investigation by trading standards), a Jersey-based healthcare supplement company previously cautioned for its misleading advertising and unauthorised health claims, and a UK charity that used details to ask for donations for people with learning disabilities.

The investigation also found that the lottery company deliberately targeted elderly and vulnerable individuals, and some customers will likely suffer financially as a result of details being disclosed.

The civil monetary penalty applied is the first of its type and the company was ruled to have breached the first principle of the Data Protection Act regarding fair and lawful processing of data.

ICO deputy commissioner, David Smith, said: “Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that.

“It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.

“Once people’s personal information has been sold on once this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details.”

More than 100,000 customer details had been advertised for sale, with a database including people suffering from ailments such as asthma, Parkinson’s disease and erectile dysfunction. Breakdowns of the data, such as for men over 70 years old, were also available.

Records were advertised for sale for £130 per 1,000 records.

MedConfidential – an organisation originally created as a direct response to the perceived threat posed by changes to the way NHS England and HSCIC planned to extract patients’ medical information from NHS health record systems in England – was responsible for lodging a complaint against the website.

Phil Booth, its coordinator, said: “When medConfidential made a complaint to the ICO on behalf of patients who were being marketed, we had no idea the trade in their data was as murky as this.

“Vulnerable people shouldn’t be exposed to this sort of harm and distress, but what’s doubly appalling is that this was done by the largest NHS-approved online pharmacy in the country, which is part-owned by the company that provides a majority of GPs with their medical record systems.

“The government has to act decisively. Six-figure fines alone won’t stamp out this poisonous trade – not when there’s so much profit to be made. There must be a blanket, statutory ban on all marketing to patients.”

Daniel Lee, the company’s managing director, sincerely apologised for the incident and confirmed that it will no longer sell customer data.

“As a responsible company, we undertook due diligence to check that the organisations intending to use the data were reputable. There was no publicly available information at the time to suggest that the lottery company was suspected of any wrongdoing and we have confirmed with the relevant authorities that they were validly licensed.

“Following this incident, we have changed our privacy policy to highlight that we will no longer sell customer data and have implemented a prior consent model for our own marketing. We have also worked with the Plain English Campaign to make our policies as clear as possible to our customers,” he said.

Health journalist and campaigner Dr Ben Goldacre noted that Pharmacy2U is 20% owned by EMIS, the largest provider of IT systems to GP practices in England.

UPDATE, 21st Oct, 1pm:

Chris Spencer, CEO at EMIS Group, said: “EMIS Group takes the ICO announcement very seriously indeed. The decision by Pharmacy2U to sell data was made without my personal knowledge or authority as a non-executive Pharmacy2U board member, or that of anyone at EMIS Group PLC. The decision to sell data was made by the executive day-to-day management team at Pharmacy2U. It was never discussed by the Pharmacy2U board, nor was that board consulted before the decision was made.

"As the ICO’s report makes clear:

  • Pharmacy2U did not deliberately contravene the Data Protection Act; and
  • when it made the decision to sell data, Pharmacy2U did not have access to the now available information that could lead it to believe that some of the companies receiving the data could be involved in fraudulent activity.

"As a minority shareholder in Pharmacy2U we were extremely concerned when this issue was originally reported. As a leading provider of clinical software systems, EMIS Group has always maintained the highest standards of patient confidentiality and data security. We note the ICO’s ruling and that Pharmacy2U is committed to taking comprehensive remedial action. This includes confirming that it will no longer sell customer data and moving to a proactive consent model for its own marketing.”


Carl T Boylin   04/11/2015 at 12:08

I've worked at Pharmacy2u both building and IT security where dismal, patients were discussed openly by staff and to be honest it was a horrible place to work glad I'm not there any longer but feel sorry for some of those that still are.

Add your comment


national health executive tv

more videos >

featured articles

View all News

last word

Hard to be optimistic

Hard to be optimistic

Rachel Power, chief executive of the Patients Association, warns that we must be realistic about the very real effects of continued underfunding across the health service. It’s now beyond more > more last word articles >

health service focus

View all News


Staying curious with the Shadow Board Programme

20/03/2019Staying curious with the Shadow Board Programme

Kirstie Stott, director of The Inspiring Leaders Network, discusses organis... more >
Fiction as Therapy

20/03/2019Fiction as Therapy

Elaine Bousfield of ZunTold Publishing – a press specialising in fict... more >


How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

24/10/2018How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

A dedicated national social care service could be a potential solution to s... more >

the scalpel's daily blog

Personal Health Budgets: empowering individuals

20/03/2019Personal Health Budgets: empowering individuals

Jon Baker, PHBChoices director at NHS Shared Business Services (NHS SBS) believes that the extension of Personal Health Budgets (PHBs) is a great opportunity for clinical comm... more >
read more blog posts from 'the scalpel' >

healthcare events

events calendar


March 2019

mon tue wed thu fri sat sun
25 26 27 28 1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
1 2 3 4 5 6 7

editor's comment

25/09/2017A hotbed of innovation

This edition of NHE comes hot on the heels of this year’s NHS Expo which, once again, proved to be a huge success at Manchester Central. A number of announcements were made during the event, with the health secretary naming the second wave of NHS digital pioneers, or ‘fast followers’, which follow the initial global digital exemplars who were revealed at the same show 12 months earlier.  Jeremy Hunt also stated that by the end of 2018 – the 70th birthday... read more >