The country’s largest NHS-approved online pharmacy has been fined £130,000 by the Government’s data protection watchdog for selling the names and addresses of more than 21,000 patients without their consent.
The details sold by Pharmacy2U, which dispenses medicines to patients on behalf of the NHS, were later bought by an Australian lottery company and a health supplements firm, the Information Commissioner’s Office (ICO) said.
In what the watchdog described as an “inconceivable” breach of the Data Protection Act, the company put the details of more than 100,000 customers up for sale through an online marketing website at the end of last year. The database was advertised as including people suffering from ailments such as asthma, Parkinson’s disease and erectile dysfunction.
Some of the data, which Pharmacy2U priced at £130 for 1,000 records, was bought by an Australian lottery company which then “deliberately targeted elderly and vulnerable individuals”, the ICO said. The watchdog said it was “likely” that some customers would have lost money as a result of their details being passed on.
Pharmacy2U has worked closely with the NHS since 2001, developing an online system of repeat prescriptions which allows medicine to be posted to patients. The Leeds-based company is also 20 per cent owned by EMIS, the single largest provider of GP computer systems across England.
NHS England welcomed the fine, describing the company’s behaviour as “not acceptable”. But medical privacy campaigners said the threat of a severe financial penalty would not be enough to stamp out the “poisonous trade” in customer information, calling for a ban on all marketing to patients.
“Vulnerable people shouldn’t be exposed to this sort of harm and distress, but what’s doubly appalling is that this was done by the largest NHS-approved online pharmacy in the country, which is part-owned by the company that provides a majority of GPs with their medical records systems,” said Phil Booth, coordinator of the group medConfidential, which made the initial complaint to the ICO.
ICO deputy commissioner David Smith said he hoped the hefty fine would send out a “clear message” to other companies that customer data “is not theirs to do with as they wish”.
He added: “Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that.”
Mr Smith said that once people’s personal information had been sold on once, other firms were able resell it again and again – a snowball effect which often led to customers being bombarded by calls and letters from companies they had never used.
George Freeman, the Minister for Life Sciences, said: “Selling confidential patient records is completely unacceptable and this should serve as a warning that the misuse of patient data won’t be tolerated.”
Pharmacy2U apologised for the “regrettable incident” and said it would no longer sell customer data. “We take our responsibilities to the public very seriously and want to reassure our customers that no medical information, email addresses or telephone numbers were sold. Only names and postal addresses were given, for one-time use,” said Daniel Lee, the company’s managing director.
Chris Spencer, CEO at EMIS, said the company had not been aware of Pharmacy2U’s plans to sell the data. The firm took the intervention by the ICO “very seriously indeed”, he added.