Online business Pharmacy2U has been fined £130,000 by the government’s privacy watchdog for selling patient information to marketing companies.
 
The names and addresses of 21,500 Pharmacy2U patients were sold via a third party to three companies in 2014, including a lottery company that “deliberately targeted elderly and vulnerable individuals”, the Information Commissioner’s Office (ICO) announced on Tuesday.
 
Pharmacy2U – the UK’s largest NHS-approved online pharmacy – said it “sincerely apologises” for the “regrettable incident”. The company stopped the “trial” sale of customer data through a marketing list company “as soon as the issue was brought to our attention” and has taken “substantial remedial action”, managing director Daniel Lee stressed.
 
The ICO concluded that Pharmacy2U had obtained the data “unfairly”, because its online registration form “did not inform customers that it intended to sell their details to third party organisations”.
 
It decided that Pharmacy2U’s breach of the Data Protection Act had not been deliberate, but stressed that the company is now facing the consequences of having made a “serious error of judgment”.
 
ICO deputy commissioner David Smith said patient confidentiality is “drummed into pharmacists” and it is “inconceivable” that a pharmacy business “could believe these actions were acceptable”. The fine should “send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish”.
 
The General Pharmaceutical Council said it is “studying” the ICO’s findings and considering what further action, if any, it should take.
 

What happened to the patient data?

The ICO investigation revealed that marketing company Alchemy Direct Media put up the details of more than 100,000 Pharmacy2U patients for sale, at a cost of £130 per 1,000 records, the watchdog said.
 
A total of 21,500 of these records found buyers, including a health supplements company that has since been cautioned for misleading advertising and an Australian lottery company that is now under investigation for fraud and money laundering.
 
Pharmacy2U told C+D it was unable to comment on how much money it had made from selling the information. Mr Lee pointed out that the company undertook “due diligence” to check that the organisations that bought its data were “reputable”. There was “no publicly-available information at the time” to suggest the lottery company or the health supplements company were suspected of any wrongdoing, he said.
 
Pharmacy2U only sold the names and postal addresses for “one-time use”, and no medical information, email addresses or telephone numbers were sold, Mr Lee said. The distributed information has since been “securely destroyed”, he added.

Read the ICO's full determination here.

Is the ICO sanction appropriate?

We want to hear your views, but please express them in the spirit of a constructive, professional debate. For more information about what this means, please click here to see our community principles and information