[PRESS RELEASE] UK’s largest online pharmacy fined £130,000 for selling patients’ data to scammers

The Information Commissioner’s Office will this morning issue a £130,000 fine [1] to the UK’s largest NHS-approved online pharmacy, Pharmacy2U, [2] whose senior executives approved the sale of NHS patients’ and P2U customers’ personal data by direct marketers.

The ICO determined that, through a direct marketing company called Alchemy Direct Media (UK) Ltd, Pharmacy2U executives unlawfully and unfairly sold the personal data of over 21,000 NHS patients and P2U customers either directly, or through intermediaries, to:

  • Australian Lottery fraudsters [3] targeting male pensioners who were more likely to have chronic health conditions, or cognitive impairments;
  • a Jersey-based ‘healthcare supplement’ company [4] which the Advertising Standards Authority ruled against for “misleading advertising” and “unauthorised health claims”;
  • and a UK charity which used the details to solicit donations [5] for people with learning disabilities.

The ICO determined that the sale of personal data was “likely to cause substantial damage or substantial distress to the affected individuals”, [6] that the incidents were neither “one-off events or attributable to mere human error” [7] and that Pharmacy2U executives were negligent [8].

Phil Booth, coordinator of medConfidential said:

“When medConfidential made a complaint to the Information Commissioner on behalf of patients who were being marketed, we’d no idea the trade in their data was as murky as this.

“Vulnerable people shouldn’t be exposed to this sort of harm and distress, but what’s doubly appalling is that this was done by the largest NHS-approved online pharmacy in the country, which is part-owned by the company that provides a majority of GPs with their medical records systems.

“The Government has to act decisively. Six-figure fines alone won’t stamp out this poisonous trade; not when there’s so much profit to be made. There must now be a blanket, statutory ban on all marketing to patients.

“Those who profiteer from patients’ data are predators and should face prison when they are caught.”

Notes for editors:

  1. The fine is a ‘Monetary Penalty Notice’; the ICO’s full judgement is published here: https://ico.org.uk/action-weve-taken/enforcement/pharmacy2u-ltd/
  2. Following a Daily Mail investigation, first reported on 31 March 2015: http://www.dailymail.co.uk/news/article-3020480/Your-secrets-sale-NHS-dock-s-revealed-details-patients-bought-prescriptions-online-sold-off.html Pharmacy2U is 20% owned by EMIS, the single largest provider of GP IT systems across England, see p80: https://www.emisgroupplc.com/media/1084/emis-group-plc-annual-report-and-accounts-2014.pdf and EMIS’ current Chief Executive is also a Director of Pharmacy2U: https://www.companiesintheuk.co.uk/director/11692582/christopher-spencer
  3. See paragraphs 24-28 of the ICO’s judgement, which includes: “The National Trading Standards Scams Team has also informed the Commissioner’s office that the lottery company is the subject of an ongoing international criminal investigation into fraud and money laundering, although this wouldn’t have been known to Pharmacy2U.”
  4. See paragraphs 20-23, which includes: “In February 2015, the Advertising Standards Authority (“ASA”) issued an adjudication on Healthy Marketing Ltd in relation to breaches of the CAP Code, although this wouldn’t have been known to Pharmacy2U at the time the order was approved. The breaches related to a press advert which was found to contain misleading advertising and unauthorised health claims.”
  5. Paragraph 29 of the ICO’s judgement.
  6. Paragraph 65 of the ICO’s judgement.
  7. Paragraph 72 of the ICO’s judgement.
  8. Paragraph 63:  “The senior executive of Pharmacy2U must have known that there was a risk that people may object to the sale of data to the lottery company because, when he was asked to approve the order, he replied “OK but let’s use the less spammy creative please, and if we get any complaints I would like to stop this immediately”. However, he still approved the order.”

medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or phil@medconfidential.org

– ends –