Addendum to press release

Pharmacy2U kept no records or audit trail of whose data they sold, stating “we are unable to contact individual patients.”  EMIS Group, a minority shareholder in Pharmacy2U Ltd, stated yesterday, “The decision to sell data was made by the executive day-to-day management team at Pharmacy2U”, while claiming the “highest standards of patient confidentiality and data security”.

The ICO’s judgement states:

49. It is possible that some customers, who received marketing material from Woods Supplements, after being prescribed medication by a doctor, may have stopped taking their prescribed medication and spent money on products that were subject to the ASA adjudication in relation to misleading advertising and unauthorised health claims.

The choice of Pharmacy2U to sell names and addresses of patients to quacks and charlatans must be addressed. “As a responsible company, we undertook due diligence to check that the organisations intending to use the data were reputable”, say Pharmacy2U, but they still sold data to “spammy” companies that may have encouraged patients not to take medicines prescribed to them (and which they had paid Pharmacy2U for).

medConfidential received the following statement from Pharmacy2U’s media and PR representatives, ‘Intelligent Conversation’ – the new name for the same PR firm that contacted us previously, see the Update from April this year.

We publish Pharmacy2U’s statement in full:

Daniel Lee, Managing Director of Pharmacy2U, said: “This is a regrettable incident for which we sincerely apologise.  

“While we are grateful that the ICO recognise that our breach was not deliberate, we appreciate this was a serious matter. As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed.

“We have also confirmed that we will no longer sell customer data.

“We take our responsibilities to the public very seriously and want to reassure our customers that no medical information, email addresses or telephone numbers were sold. Only names and postal addresses were given, for one-time use.

“As a responsible company, we undertook due diligence to check that the organisations intending to use the data were reputable. There was no publicly available information at the time to suggest that the lottery company was suspected of any wrongdoing and we have confirmed with the relevant authorities that they were validly licensed.  There was no publicly available information at the time that there had been a complaint to the ASA about Healthy Marketing Ltd.

“Following this incident, we have changed our privacy policy to highlight that we will no longer sell customer data and have implemented a prior consent model for our own marketing. We have also worked with the Plain English Campaign to make our policies as clear as possible to our customers.

“We hope that this substantial remedial action will reassure our customers that we have learned from this incident and will continue to do all we can to ensure that their data is protected to the highest level.”

The ICO’s judgement shows, while the data transferred may have been a list of names and addresses, the information received by the companies and charity was far more than that. For example, in the case of the Australian lottery scammers, they would have known that each name and address on that list was of a man (i.e. gender), aged 70 or over (i.e. age), who had made a purchase (financially active) from an online pharmacy in the past 6 months (with certain conditions)

Pharmacy2U’s “substantial remedial action” does not include informing any of the 21,500 patients and customers whose names and address was sold – as for example, the Government did when it lost two CDs containing HMRC Child Benefit data.

So we asked them about it.

This was the response:

A Pharmacy2u spokesman said: “As soon as the issue was brought to our attention, we ordered the certificated destruction of all the names and addresses that had been sold. [Our emphasis] For that reason, we are unable to contact individual patients.

“Anyone with concerns should contact us on 0113 265 0222 or via email, director@pharmacy2u.co.uk“

We are pleased that Pharmacy2U has (finally) provided contact details for patients and customers who may have been affected by them selling their details, though these seem not to have been published in a way concerned members of the public can easily find them. We got them in an email, and P2U’s online statement directs people to their standard customer feedback form.

However, we are astonished to hear that the company retained no record of the people whose details were sold, and is incapable of regenerating those lists from the records it is supposed to keep according to Pharmaceutical Regulators.

This is a serious failure of information governance, which only compounds their original decision to sell people’s details. Pharmacy2U have not confirmed that all the recipients of the data destroyed all of the details.

Once again, predatory quacks and charlatans have targeted those who are most vulnerable. Pharmacies and charities are likely to know who is most at risk, and selling their names and addresses is complicity in the sort of abuse that has cost lives.

Only a criminal ban on marketing to patients will prevent crooks preying on patients.

The Information Commissioner’s Office will this morning issue a £130,000 fine [1] to the UK’s largest NHS-approved online pharmacy, Pharmacy2U, [2] whose senior executives approved the sale of NHS patients’ and P2U customers’ personal data by direct marketers.

The ICO determined that, through a direct marketing company called Alchemy Direct Media (UK) Ltd, Pharmacy2U executives unlawfully and unfairly sold the personal data of over 21,000 NHS patients and P2U customers either directly, or through intermediaries, to:

• Australian Lottery fraudsters [3] targeting male pensioners who were more likely to have chronic health conditions, or cognitive impairments;
• a Jersey-based ‘healthcare supplement’ company [4] which the Advertising Standards Authority ruled against for “misleading advertising” and “unauthorised health claims”;
• and a UK charity which used the details to solicit donations [5] for people with learning disabilities.

The ICO determined that the sale of personal data was “likely to cause substantial damage or substantial distress to the affected individuals”, [6] that the incidents were neither “one-off events or attributable to mere human error” [7] and that Pharmacy2U executives were negligent [8].

Phil Booth, coordinator of medConfidential said:

“When medConfidential made a complaint to the Information Commissioner on behalf of patients who were being marketed, we’d no idea the trade in their data was as murky as this.

“Vulnerable people shouldn’t be exposed to this sort of harm and distress, but what’s doubly appalling is that this was done by the largest NHS-approved online pharmacy in the country, which is part-owned by the company that provides a majority of GPs with their medical records systems.

“The Government has to act decisively. Six-figure fines alone won’t stamp out this poisonous trade; not when there’s so much profit to be made. There must now be a blanket, statutory ban on all marketing to patients.

“Those who profiteer from patients’ data are predators and should face prison when they are caught.”

—

Notes for editors:

1. The fine is a ‘Monetary Penalty Notice’; the ICO’s full judgement is published here: https://ico.org.uk/action-weve-taken/enforcement/pharmacy2u-ltd/
2. Following a Daily Mail investigation, first reported on 31 March 2015: http://www.dailymail.co.uk/news/article-3020480/Your-secrets-sale-NHS-dock-s-revealed-details-patients-bought-prescriptions-online-sold-off.html Pharmacy2U is 20% owned by EMIS, the single largest provider of GP IT systems across England, see p80: https://www.emisgroupplc.com/media/1084/emis-group-plc-annual-report-and-accounts-2014.pdf and EMIS’ current Chief Executive is also a Director of Pharmacy2U: https://www.companiesintheuk.co.uk/director/11692582/christopher-spencer
3. See paragraphs 24-28 of the ICO’s judgement, which includes: “The National Trading Standards Scams Team has also informed the Commissioner’s office that the lottery company is the subject of an ongoing international criminal investigation into fraud and money laundering, although this wouldn’t have been known to Pharmacy2U.”
4. See paragraphs 20-23, which includes: “In February 2015, the Advertising Standards Authority (“ASA”) issued an adjudication on Healthy Marketing Ltd in relation to breaches of the CAP Code, although this wouldn’t have been known to Pharmacy2U at the time the order was approved. The breaches related to a press advert which was found to contain misleading advertising and unauthorised health claims.”
5. Paragraph 29 of the ICO’s judgement.
6. Paragraph 65 of the ICO’s judgement.
7. Paragraph 72 of the ICO’s judgement.
8. Paragraph 63:  “The senior executive of Pharmacy2U must have known that there was a risk that people may object to the sale of data to the lottery company because, when he was asked to approve the order, he replied “OK but let’s use the less spammy creative please, and if we get any complaints I would like to stop this immediately”. However, he still approved the order.”

medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or phil@medconfidential.org

– ends –

This morning, the NHS Health Apps Library – a “pilot programme” that has been endorsing hundreds of apps to patients since 2013 – was finally shut down. It is replaced by a set of pages on the NHS Choices website which promote a total of seven “online mental health services”. [1]

Serious concerns have been raised over the past year by researchers at Imperial College London and Ecole Polytechnique CNRS, France [2] and by medConfidential [3] with regard to the security, safety and suitability of dozens of apps which were endorsed in the Apps Library.

A handful of apps – including Kvetch, Doctoralia and My Sex Doctor [4] – were silently withdrawn following complaints, but it is unclear how NHS England intends to notify patients left hanging now that “innovative” apps it has been promoting for up to two years have had their approval pulled.

The closure of the Apps Library coincides with the Second Reading of the Access to Medical Treatments (Innovation) Bill – a Private Members’ Bill by Chris Heaton-Harris MP, a version of which was introduced previously in the Lords by advertising magnate Lord Saatchi.

Apps fall within the Bill’s definition of “innovative treatments”, opening far wider questions as to the use of the database [5] that would be created under Section 2 of the Bill. Minister for Life Sciences, George Freeman MP, tweeted during the debate [6] that he did not intend for the database to be used for marketing to patients, but the Bill itself and existing legislation [7] provide no legal bar.

All of which further calls into question the stated ambition of Secretary of State for Health, Jeremy Hunt, “to get a quarter of smartphone users – 15% of all NHS patients – routinely accessing NHS advice, services and medical records through apps by the end of the next financial year.” [8]

Phil Booth, coordinator of medConfidential said:

“While we welcome the closure of this sprawling, unaccredited mess of apps and internet quackery, NHS England must now demonstrate how radically it has changed its approach to innovation if it wants to avoid destroying patient trust.

“Promoting predatory ‘bait and switch’ apps targeting teenagers, like My Sex Doctor, was certainly an “innovation” for the NHS. Real doctors would have laughed the charlatans out of the surgery and got back to helping patients, but it seems Tim Kelsey’s team welcomed them with open arms.

“Jeremy Hunt and George Freeman may not intend for any of this to be used for marketing to patients, but there’s no legal bar. And as NHS England’s abortive attempt with apps has shown, not thinking this through properly puts patients at risk.”

—

Notes for editors:

1. Just three of these “services” are available as apps: http://www.nhs.uk/conditions/online-mental-health-services/Pages/introduction.aspx
2. http://www.theguardian.com/society/2015/sep/25/nhs-accredited-health-apps-putting-users-privacy-at-risk-study-finds which led to the removal of My Sex Doctor and other apps. Full study published here: http://www.biomedcentral.com/1741-7015/13/214
3. http://www.computing.co.uk/ctg/news/2415698/caredata-nhs-choices-and-now-apps-could-it-be-three-failures-in-a-row-for-tim-kelsey
   
4. Kvetch app was a self-described “experiment” that proposed to “make sickness social”, with a communally-visible “alcoholism” group it encouraged individuals to “check your friends in for a laugh”. Barcelona-based Doctoralia (still available in UK apps stores) failed to correctly list GPs working in UK practices, listing at least one GP who had died tragically, and had complex DPA issues that failed to meet the Apps Library’s own criteria for inclusion. My Sex Doctor (also still available in commercial apps stores, and still claiming NHS endorsement) targets teenagers with sex advice, with a stated business model: “Once gained their trust we can leverage it for commercial purposes” – see slide 11, http://www.slideshare.net/FabrizioDolfi/my-sexdoctor-pitch-deck-43296908
5. Which Chair of the Health Select Committee, Dr Sarah Wollaston MP, described as “a vast sprawling database of anecdotal treatment for male pattern baldness”. Debate transcript: http://www.parliament.uk/business/publications/hansard/commons/todays-commons-debates/read/unknown/12/
6. https://twitter.com/Freeman_George/status/654976202810269696
7. See medConfidential’s briefing, following a meeting with Chris Heaton-Harris on 30 Sept: https://medconfidential.org/wp-content/uploads/2015/10/medconfidential-1-Marketingtopatients.pdf
8. Official report of Jeremy Hunt’s speech, 2 September 2015: https://www.gov.uk/government/news/health-secretary-outlines-vision-for-use-of-technology-across-nhs – updated on 18 September following the announcement of the consultation on the role and remit of the statutory National Data Guardian, who will produce “clear guidelines for the protection of personal data against which every NHS and care organisation will be held to account.”

medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

– ends –