UK's largest online pharmacy fined £130,000 for selling patients' personal data to scammers

The UK's biggest online pharmacy has been fined £130,000 ($200,000) for selling patients' personal data to scammers who targeted the sick and vulnerable. Pharmacy2U (P2U) was punished by the Information Commissioner's Office (ICO) for offering the names and addresses of people who purchased prescriptions and other remedies from their site through online marketing list company, Alchemy Direct Media.

The pharmacy was found to have unlawfully sold the personal data of more than 21,000 NHS patients and P2U customers without informing them beforehand or getting their consent to have the data sold on.

The companies which bought the data include Australian Lottery fraudsters who targeted male pensioners who were more likely to have chronic health conditions, a Jersey-based "healthcare supplement" company which was found to have conducted "misleading advertising" and "unauthorised health claims" and a UK charity which used the details to solicit donations for people with learning disabilities.

The ICO found the Lottery company that bought customer records appeared to deliberately targeted elderly and vulnerable individuals, and it is likely that some customers will have "suffered financially as a result of their details being passed on".

More than 100,000 customer details were advertised for sale on the database, which was broken down into categories including people suffering from ailments such as asthma, Parkinson's disease and erectile dysfunction and men over the age of 70. Records were advertised for sale for £130 per 1,000 records.

ICO deputy commissioner David Smith said: "Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.

"Once people's personal information has been sold on once in this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details."

Daniel Lee, managing director of P2U, said: "This is a regrettable incident for which we sincerely apologise. While we are grateful that the ICO recognises that our breach was not deliberate, we appreciate this was a serious matter.

"As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed. We have also confirmed that we will no longer sell customer data.

"We take our responsibilities to the public very seriously and want to reassure our customers that no medical information, email addresses or telephone numbers were sold. Only names and postal addresses were given, for one-time use.

"Following this incident, we have changed our privacy policy to highlight that we will no longer sell customer data and have implemented a prior consent model for our own marketing. We hope that this substantial remedial action will reassure our customers that we have learned from this incident and will continue to do all we can to ensure that their data is protected to the highest level."

Phil Booth, coordinator of medConfidential, which made a complaint to the ICO on behalf of patients who were being marketed, said he had "no idea the trade in their data was as murky as this".

He added: "Vulnerable people shouldn't be exposed to this sort of harm and distress, but what's doubly appalling is that this was done by the largest NHS-approved online pharmacy in the country, which is part-owned by the company that provides a majority of GPs with their medical records systems.

"The government has to act decisively. Six-figure fines alone won't stamp out this poisonous trade; not when there's so much profit to be made. There must now be a blanket, statutory ban on all marketing to patients. Those who profiteer from patients' data are predators and should face prison when they are caught."