Addendum to press release

Pharmacy2U kept no records or audit trail of whose data they sold, stating “we are unable to contact individual patients.”  EMIS Group, a minority shareholder in Pharmacy2U Ltd, stated yesterday, “The decision to sell data was made by the executive day-to-day management team at Pharmacy2U”, while claiming the “highest standards of patient confidentiality and data security”.

The ICO’s judgement states:

49. It is possible that some customers, who received marketing material from Woods Supplements, after being prescribed medication by a doctor, may have stopped taking their prescribed medication and spent money on products that were subject to the ASA adjudication in relation to misleading advertising and unauthorised health claims.

The choice of Pharmacy2U to sell names and addresses of patients to quacks and charlatans must be addressed. “As a responsible company, we undertook due diligence to check that the organisations intending to use the data were reputable”, say Pharmacy2U, but they still sold data to “spammy” companies that may have encouraged patients not to take medicines prescribed to them (and which they had paid Pharmacy2U for).

medConfidential received the following statement from Pharmacy2U’s media and PR representatives, ‘Intelligent Conversation’ – the new name for the same PR firm that contacted us previously, see the Update from April this year.

We publish Pharmacy2U’s statement in full:

Daniel Lee, Managing Director of Pharmacy2U, said: “This is a regrettable incident for which we sincerely apologise.  

“While we are grateful that the ICO recognise that our breach was not deliberate, we appreciate this was a serious matter. As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed.

“We have also confirmed that we will no longer sell customer data.

“We take our responsibilities to the public very seriously and want to reassure our customers that no medical information, email addresses or telephone numbers were sold. Only names and postal addresses were given, for one-time use.

“As a responsible company, we undertook due diligence to check that the organisations intending to use the data were reputable. There was no publicly available information at the time to suggest that the lottery company was suspected of any wrongdoing and we have confirmed with the relevant authorities that they were validly licensed.  There was no publicly available information at the time that there had been a complaint to the ASA about Healthy Marketing Ltd.

“Following this incident, we have changed our privacy policy to highlight that we will no longer sell customer data and have implemented a prior consent model for our own marketing. We have also worked with the Plain English Campaign to make our policies as clear as possible to our customers.

“We hope that this substantial remedial action will reassure our customers that we have learned from this incident and will continue to do all we can to ensure that their data is protected to the highest level.”

The ICO’s judgement shows, while the data transferred may have been a list of names and addresses, the information received by the companies and charity was far more than that. For example, in the case of the Australian lottery scammers, they would have known that each name and address on that list was of a man (i.e. gender), aged 70 or over (i.e. age), who had made a purchase (financially active) from an online pharmacy in the past 6 months (with certain conditions)

Pharmacy2U’s “substantial remedial action” does not include informing any of the 21,500 patients and customers whose names and address was sold – as for example, the Government did when it lost two CDs containing HMRC Child Benefit data.

So we asked them about it.

This was the response:

A Pharmacy2u spokesman said: “As soon as the issue was brought to our attention, we ordered the certificated destruction of all the names and addresses that had been sold. [Our emphasis] For that reason, we are unable to contact individual patients.

“Anyone with concerns should contact us on 0113 265 0222 or via email, director@pharmacy2u.co.uk“

We are pleased that Pharmacy2U has (finally) provided contact details for patients and customers who may have been affected by them selling their details, though these seem not to have been published in a way concerned members of the public can easily find them. We got them in an email, and P2U’s online statement directs people to their standard customer feedback form.

However, we are astonished to hear that the company retained no record of the people whose details were sold, and is incapable of regenerating those lists from the records it is supposed to keep according to Pharmaceutical Regulators.

This is a serious failure of information governance, which only compounds their original decision to sell people’s details. Pharmacy2U have not confirmed that all the recipients of the data destroyed all of the details.

Once again, predatory quacks and charlatans have targeted those who are most vulnerable. Pharmacies and charities are likely to know who is most at risk, and selling their names and addresses is complicity in the sort of abuse that has cost lives.

Only a criminal ban on marketing to patients will prevent crooks preying on patients.

The Information Commissioner’s Office will this morning issue a £130,000 fine [1] to the UK’s largest NHS-approved online pharmacy, Pharmacy2U, [2] whose senior executives approved the sale of NHS patients’ and P2U customers’ personal data by direct marketers.

The ICO determined that, through a direct marketing company called Alchemy Direct Media (UK) Ltd, Pharmacy2U executives unlawfully and unfairly sold the personal data of over 21,000 NHS patients and P2U customers either directly, or through intermediaries, to:

• Australian Lottery fraudsters [3] targeting male pensioners who were more likely to have chronic health conditions, or cognitive impairments;
• a Jersey-based ‘healthcare supplement’ company [4] which the Advertising Standards Authority ruled against for “misleading advertising” and “unauthorised health claims”;
• and a UK charity which used the details to solicit donations [5] for people with learning disabilities.

The ICO determined that the sale of personal data was “likely to cause substantial damage or substantial distress to the affected individuals”, [6] that the incidents were neither “one-off events or attributable to mere human error” [7] and that Pharmacy2U executives were negligent [8].

Phil Booth, coordinator of medConfidential said:

“When medConfidential made a complaint to the Information Commissioner on behalf of patients who were being marketed, we’d no idea the trade in their data was as murky as this.

“Vulnerable people shouldn’t be exposed to this sort of harm and distress, but what’s doubly appalling is that this was done by the largest NHS-approved online pharmacy in the country, which is part-owned by the company that provides a majority of GPs with their medical records systems.

“The Government has to act decisively. Six-figure fines alone won’t stamp out this poisonous trade; not when there’s so much profit to be made. There must now be a blanket, statutory ban on all marketing to patients.

“Those who profiteer from patients’ data are predators and should face prison when they are caught.”

—

Notes for editors:

1. The fine is a ‘Monetary Penalty Notice’; the ICO’s full judgement is published here: https://ico.org.uk/action-weve-taken/enforcement/pharmacy2u-ltd/
2. Following a Daily Mail investigation, first reported on 31 March 2015: http://www.dailymail.co.uk/news/article-3020480/Your-secrets-sale-NHS-dock-s-revealed-details-patients-bought-prescriptions-online-sold-off.html Pharmacy2U is 20% owned by EMIS, the single largest provider of GP IT systems across England, see p80: https://www.emisgroupplc.com/media/1084/emis-group-plc-annual-report-and-accounts-2014.pdf and EMIS’ current Chief Executive is also a Director of Pharmacy2U: https://www.companiesintheuk.co.uk/director/11692582/christopher-spencer
3. See paragraphs 24-28 of the ICO’s judgement, which includes: “The National Trading Standards Scams Team has also informed the Commissioner’s office that the lottery company is the subject of an ongoing international criminal investigation into fraud and money laundering, although this wouldn’t have been known to Pharmacy2U.”
4. See paragraphs 20-23, which includes: “In February 2015, the Advertising Standards Authority (“ASA”) issued an adjudication on Healthy Marketing Ltd in relation to breaches of the CAP Code, although this wouldn’t have been known to Pharmacy2U at the time the order was approved. The breaches related to a press advert which was found to contain misleading advertising and unauthorised health claims.”
5. Paragraph 29 of the ICO’s judgement.
6. Paragraph 65 of the ICO’s judgement.
7. Paragraph 72 of the ICO’s judgement.
8. Paragraph 63:  “The senior executive of Pharmacy2U must have known that there was a risk that people may object to the sale of data to the lottery company because, when he was asked to approve the order, he replied “OK but let’s use the less spammy creative please, and if we get any complaints I would like to stop this immediately”. However, he still approved the order.”

medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on 07974 230 839 or phil@medconfidential.org

– ends –

This morning, the NHS Health Apps Library – a “pilot programme” that has been endorsing hundreds of apps to patients since 2013 – was finally shut down. It is replaced by a set of pages on the NHS Choices website which promote a total of seven “online mental health services”. [1]

Serious concerns have been raised over the past year by researchers at Imperial College London and Ecole Polytechnique CNRS, France [2] and by medConfidential [3] with regard to the security, safety and suitability of dozens of apps which were endorsed in the Apps Library.

A handful of apps – including Kvetch, Doctoralia and My Sex Doctor [4] – were silently withdrawn following complaints, but it is unclear how NHS England intends to notify patients left hanging now that “innovative” apps it has been promoting for up to two years have had their approval pulled.

The closure of the Apps Library coincides with the Second Reading of the Access to Medical Treatments (Innovation) Bill – a Private Members’ Bill by Chris Heaton-Harris MP, a version of which was introduced previously in the Lords by advertising magnate Lord Saatchi.

Apps fall within the Bill’s definition of “innovative treatments”, opening far wider questions as to the use of the database [5] that would be created under Section 2 of the Bill. Minister for Life Sciences, George Freeman MP, tweeted during the debate [6] that he did not intend for the database to be used for marketing to patients, but the Bill itself and existing legislation [7] provide no legal bar.

All of which further calls into question the stated ambition of Secretary of State for Health, Jeremy Hunt, “to get a quarter of smartphone users – 15% of all NHS patients – routinely accessing NHS advice, services and medical records through apps by the end of the next financial year.” [8]

Phil Booth, coordinator of medConfidential said:

“While we welcome the closure of this sprawling, unaccredited mess of apps and internet quackery, NHS England must now demonstrate how radically it has changed its approach to innovation if it wants to avoid destroying patient trust.

“Promoting predatory ‘bait and switch’ apps targeting teenagers, like My Sex Doctor, was certainly an “innovation” for the NHS. Real doctors would have laughed the charlatans out of the surgery and got back to helping patients, but it seems Tim Kelsey’s team welcomed them with open arms.

“Jeremy Hunt and George Freeman may not intend for any of this to be used for marketing to patients, but there’s no legal bar. And as NHS England’s abortive attempt with apps has shown, not thinking this through properly puts patients at risk.”

—

Notes for editors:

1. Just three of these “services” are available as apps: http://www.nhs.uk/conditions/online-mental-health-services/Pages/introduction.aspx
2. http://www.theguardian.com/society/2015/sep/25/nhs-accredited-health-apps-putting-users-privacy-at-risk-study-finds which led to the removal of My Sex Doctor and other apps. Full study published here: http://www.biomedcentral.com/1741-7015/13/214
3. http://www.computing.co.uk/ctg/news/2415698/caredata-nhs-choices-and-now-apps-could-it-be-three-failures-in-a-row-for-tim-kelsey
   
4. Kvetch app was a self-described “experiment” that proposed to “make sickness social”, with a communally-visible “alcoholism” group it encouraged individuals to “check your friends in for a laugh”. Barcelona-based Doctoralia (still available in UK apps stores) failed to correctly list GPs working in UK practices, listing at least one GP who had died tragically, and had complex DPA issues that failed to meet the Apps Library’s own criteria for inclusion. My Sex Doctor (also still available in commercial apps stores, and still claiming NHS endorsement) targets teenagers with sex advice, with a stated business model: “Once gained their trust we can leverage it for commercial purposes” – see slide 11, http://www.slideshare.net/FabrizioDolfi/my-sexdoctor-pitch-deck-43296908
5. Which Chair of the Health Select Committee, Dr Sarah Wollaston MP, described as “a vast sprawling database of anecdotal treatment for male pattern baldness”. Debate transcript: http://www.parliament.uk/business/publications/hansard/commons/todays-commons-debates/read/unknown/12/
6. https://twitter.com/Freeman_George/status/654976202810269696
7. See medConfidential’s briefing, following a meeting with Chris Heaton-Harris on 30 Sept: https://medconfidential.org/wp-content/uploads/2015/10/medconfidential-1-Marketingtopatients.pdf
8. Official report of Jeremy Hunt’s speech, 2 September 2015: https://www.gov.uk/government/news/health-secretary-outlines-vision-for-use-of-technology-across-nhs – updated on 18 September following the announcement of the consultation on the role and remit of the statutory National Data Guardian, who will produce “clear guidelines for the protection of personal data against which every NHS and care organisation will be held to account.”

medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

– ends –

Late last week, the Government published its consultation on the remit of the National Data Guardian. The consultation is available here and closes on the 17th December, just days before Tim Kelsey departs (NHS) England.

We welcome this consultation, which we believe is intended to ensure the strength and the remit of the National Data Guardian into the future, as NHS England reconsiders its failed approach to data, privacy and information governance.

medConfidential will provide a substantive response to the consultation in future weeks, but on first reading, we would make a few initial observations:

1) This is a consultation on the nature of the teeth the NDG will have

It is not consulting on the existence of those teeth, but their shape and constitution, and how they relate to other bodies.

2) There is a question about how the National Data Guardian relates to Non-Medical Professionals

Medical Professionals are regulated by the General Medical Council; however, many decision-makers in the NHS are not Medical Professionals, and hence not subject to GMC rules and sanctions.

care.data and the Prime Minister’s Challenge Fund fiascos, for example, were both conceived and implemented by individuals who are not (Registered Medical) Professionals. There is currently no effective regulation of those individuals. The details of this will matter, and are likely to need multiple diverse discussions which we look forward to having in the coming weeks and months.

3) Covering the use of Health and Social Care Data about Children

Children are a large and vulnerable constituency of the NHS. For the National Data Guardian to lack effective powers in this area would be perverse.

However, Children’s Social Care is entirely separate to Adult Social Care, and so in practice powers will have to be significantly different – if only because the other public bodies are different bodies with different remits.

We greatly welcome the inclusion of this question in the consultation, though we suspect the Government’s response to the consultation will be limited to the principle of whether the NDG should be able to cover all Social Care, with the details of implementing coverage in Child Social Care being covered by a future consultation on that topic.

Since November 2014, the National Data Guardian has interacted with other regulators on the basis of an agreement of standing and respect for overlapping remits. Until the details of similar interactions can be worked out for Children’s Social Care, that is likely to be the way forwards. Any future consultation on this particular matter need not slow down primary legislation to put NDG onto a statutory basis “at the earliest opportunity” – subject to appropriate provision being made for, e.g. (super-)affirmative resolutions mandating the interactions between bodies in an agreed manner.

We will draft and publish a more comprehensive response in due course.

PLEASE NOTE: This consultation is entirely separate and unrelated to the announcement earlier this month that Dame Fiona Caldicott, the National Data Guardian, will review the language around consent for secondary uses of patient data in the NHS. It was that announcement by the Secretary of State that led, yet again, to another suspension of care.data.

NHS England failed to satisfactorily resolve the question of what “opt-out” actually means and does for nearly 3 years – so, as the scheme’s architect and main proponent himself opts out of care.data by leaving the country, those left behind will have to clean up the mess he’s left.

—

Our press release on the NDG consultation follows:

[PRESS RELEASE] Consultation on National Data Guardian: “no public confidence without Caldicott”

medConfidential today welcomed the long-anticipated consultation on the role of the National Data Guardian [1] as a step in the right direction. medConfidential and others have been pushing for the reinstatement of statutory independent oversight on the use of personal data across the health and care system since late spring 2014 [2].

With care.data put on “pause” yet again [3], Jeremy Hunt has asked Dame Fiona Caldicott to sort out the “fiasco” that Tim Kelsey and NHS England have failed to address for the past two years. Given the tight timing of this consultation, medConfidential hopes the Government will publish its response before Dame Fiona is required to offer her suggestions on resolving NHS England’s incompetence.

Issued by the Department of Health hours after NHS England announced Mr Kelsey’s resignation, the consultation is a positive step towards restoring public trust in the NHS’ handling and use of patient data.

As many, including leading research charities [5], have emphasised, “Patient data must be safeguarded… The stakes are too high to risk any further mistakes.”

Responding to the launch of the consultation, Phil Booth, coordinator of medConfidential said:

“We welcome putting the National Data Guardian role, currently held by Dame Fiona Caldicott, onto a statutory footing as a sensible and necessary step towards restoring public confidence.

“As we have pointed out time and again, there can be little public confidence in the handling of sensitive patient information without overarching, independent oversight – with teeth – of every single body involved.

“NHS England’s continued screw-ups and missteps are toxic to trust. They must improve, but that must be overseen by an independent body that can inspire confidence.”

—

Notes for editors:

1. The consultation was published on the evening of 17 September, just hours after care.data SRO, Tim Kelsey, announced his resignation [6]: https://www.gov.uk/government/consultations/the-role-of-the-national-data-guardian-for-health-and-social-care
2. See, e.g. medConfidential’s briefing and proposed amendments to the Care Bill 2014: https://medconfidential.org/wp-content/uploads/2014/05/medConfidential-briefing-for-Care-Bill-ping-pong_07May.pdf
3. See announcement by Somerset CCG (one of the care.data ‘pathfinder’ areas), published by Somerset LMC, 4/9/15: https://www.somersetlmc.co.uk/caredatapaused
4. “Caldicott to oversee care.data pilot”, EHI, 2/7/14: http://www.digitalhealth.net/news/29382/
5. Research charities’ letter to the Guardian following PM’s Challenge Fund debacle, 27/7/15: http://www.theguardian.com/society/2015/jul/27/patient-data-must-be-safeguarded
6. medConfidential Press Release,17/9/15, on Tim Kelsey’s resignation: https://medconfidential.org/2015/press-release-kelsey-leaves-england-for-down-under/

medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

– ends –

medConfidential joins others in recognising the effect Tim Kelsey – Director for Patients and Information at NHS England, Chair of DH’s National Information Board, SRO for care.data and Chair of the care.data Programme Board – has had on the NHS.

Mr Kelsey announced today [1] that he will be resigning from NHS England and leaving the UK for Australia, to work as a commercial director for Telstra Health, a division of Australian telecommunications provider Telstra Corp – which in March this year acquired Dr Foster Intelligence [2], the company Mr Kelsey co-founded in 2000.

Tim’s commitment to the NHS is exemplified by serving his full notice period of 6 months. Earlier this morning, the HSCIC published its Board’s rejection of the Directions for the care.data pathfinders [3], a decision made in July.

Phil Booth, privacy advocate and long-standing scrutineer of Tim’s work, said:

“Tim’s gone back to his old job in the private sector, but serious questions of consent and transparency in NHS England remain unresolved. At the beginning of September Jeremy Hunt announced that responsibility for effective patient consent, long ignored by NHS England under Tim’s rule, had been handed to Dame Fiona Caldicott for resolution.

“We look forward to seeing how public confidence in the handling of NHS patient data will recover under new leadership. NHS England’s strident insistence on commercial re-use of medical records must now be reconsidered.

“Lord Saatchi’s Medical Database Bill, due to be re-published in the Commons the week after Conservative Party Conference, may provide some sign whether Jeremy Hunt has learnt the lessons of care.data for the entire NHS.”

—

Notes to editors:

1) NHS England announcement of Tim Kelsey’s resignation, 17/9/15: http://www.england.nhs.uk/2015/09/17/tim-kelsey-to-leave/

2) Telstra Health acquires Dr Foster Intelligence, 26/1/15: http://www.drfoster.com/updates/news/dr-foster-acquired-by-telstra-health/
Dr Foster Intelligence was formed when the Department of Health a 50% stake in Dr Foster in 2006, in a deal that was later criticised by the National Audit Office: http://www.nao.org.uk/report/dr-foster-intelligence-a-joint-venture-between-the-information-centre-and-dr-foster-llp/

3) Minutes of HSCIC Board meeting on 15/7/15, published on 17 September 2015, as part of papers for upcoming HSCIC Board meeting on 23/9/15. HSCIC reject the care.data Directions (previously approved by the care.data Programme Board and NHS England Board) for reasons listed on p10 of 300:

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/461371/20150923_HSCICBoardpapers_Part1.pdf

medConfidential campaigns for confidentiality and consent in health and social care, seeking to ensure that every flow of data into, across and out of the NHS and care system is consensual, safe and transparent. Founded in January 2013, medConfidential is an independent, non-partisan organisation working with patients and medics, service users and care professionals.

For further information or for immediate or future interview, please contact Phil Booth, coordinator of medConfidential, on phil@medconfidential.org

– ends –