Online pharmacy fined £130k for selling personal data

The UK’s largest online pharmacy has received a record fine for selling the details of thousands of its customers to marketing companies.

The Information Commissioner’s Office (ICO) announced yesterday (20 October) that Leeds-based Pharmacy2U was fined £130,000 for selling the names and addresses of more than 21,000 of its customers to marketing companies in the UK and overseas.

Pharamcy2U is the UK’s largest NHS contracted pharmacy, selling prescription and over the counter medicines, including dry eye treatments. It also handles repeat prescriptions for thousands of NHS patients, many of whom may be too ill or immobile to collect prescriptions from their GP or local pharmacy.

In March this year, an investigation by the Daily Mail revealed that undercover reporters were able to buy customer details from the company for as little as 19p per record. It emerged that the online retailer, which is regulated by the General Pharmaceutical Council, was offering details of more than 100,000 customers through online marketing list company Alchemy Direct Media.

The list of data for sale included 21,500 records sold to three organisations: a UK charity soliciting for donations; a Jersey-based supplements company which had used “misleading advertising and unauthorised health claims;” and most worrying, an Australian lottery company under criminal investigation for fraud.

It is believed that a number of vulnerable elderly customers may have been targeted by scammers as a result of the sales.

An investigation by the ICO found that Pharmacy2U ran afoul of the Data Protection Act as it had not informed customers of its intent to sell their details, and that customers had not given their consent for their details to be sold.

The deputy commissioner of the ICO, David Smith, said: “Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.

Mr Smith added: “Once people’s personal information has been sold on once in this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details.”

Phil Booth, coordinator of independent campaign group medConfidential, which made a complaint on behalf of patients who had been targeted, said: “We [had] no idea the trade of their data was as murky as this.”

Mr Booth added: “Vulnerable people shouldn’t be exposed to this sort of harm and distress, but what’s doubly appalling is that this was done by the largest NHS-approved online pharmacy in the country, which is part-owned by the company that provides a majority of GPs with their record systems.”

Pharmacy2U issued a statement confirming that it no longer sells customer data and has changed its privacy policy.

Responding to the ICO’s findings, managing director of Pharmacy2U, Daniel Lee, said: “This is a regrettable incident for which we sincerely apologise.”