Pharmacy2U fined £130,000 for selling patient data

The online pharmacy company Pharmacy2U has been fined £130,000 for selling details of more than 20,000 of its customers to marketing companies without their knowledge or consent.

More than 100,000 customer details were advertised for sale, at a cost of £130 per 1,000 records. The database was advertised as including people with a range of conditions such as asthma, Parkinson’s disease and erectile dysfunction, and a breakdown of the data was available.

“Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable,” says David Smith, deputy commissioner of the Information Commissioners Office (ICO), which imposed the fine following its own investigation. “A reputable company has made a serious error of judgement, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.”

Companies that bought the customers’ names and addresses included a health supplements company that has been cautioned for misleading advertising, and an Australian lottery company that is being investigated by trading standards officials.

The ICO — the independent UK organisation that upholds information rights and promotes data privacy for individuals — found that Pharmacy2U, based in Leeds, had breached the Data Protection Act for failing to inform customers that their personal details were being sold and for failing to seek their consent.

The ICO investigation, prompted by a report in the
Daily Mail
, revealed that the lottery company used the data to deliberately target elderly and vulnerable people, some of whom may have lost money because of their details being passed on.

Pharmacy2U apologised for its actions and confirmed that it had stopped the practice of selling customer data.

“This is a regrettable incident for which we sincerely apologise,” said Daniel Lee, managing director of Pharmacy2U, in a statement issued on 20 October 2015 following the ICO’s decision.

“While we are grateful that the ICO recognise that our breach was not deliberate, we appreciate this was a serious matter,” he said. “As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed.”

The General Pharmaceutical Council (GPhC) says it is studying the ICO’s findings closely. “We are considering what, if any, further action we need to take to ensure our standards of conduct, ethics and performance and our standards for registered premises are met,” says a GPhC spokesperson.

Academic Anthony Cox, who is also a member of the Royal Pharmaceutical Society’s English Pharmacy Board, described the sale of data as a “shocking abuse of patient information”.

“At a time when we are obtaining hard won access to summary care records, and campaigning for read/write access to the patient record, such failures are extremely damaging,” he says. “Such issues are extremely sensitive and damaging to public trust.”

Pharmacy2U’s fine is the first civil monetary penalty imposed by the ICO.