Layer 1

Employee and locum details in Well data leak up to seven years old

Well: We have contacted the majority of affected data subjects by email or post
Well: We have contacted the majority of affected data subjects by email or post

Some of the details of employees and locums accidentally leaked via email by Well Pharmacy in December may be up to seven years old, the multiple has told C+D.

In December, a document – which included names, addresses, phone numbers, email addresses and some payroll numbers of 24,099 employees and locums – was sent as an email attachment to an undisclosed number of Well locums.

C+D readers have flagged they have been contacted by Well to inform them that some of their data was included in the emailed document, despite not having worked for the multiple for more than five years in some cases.

Chris Ellett, Well transformation director and senior information risk owner, told C+D yesterday (February 5) the multiple is required to retain data “for a variety of regulatory purposes, the main one being HM Revenue and Customs, who require us to keep records for seven years”.

“We are analysing the data in [our system] to identify records that are older than that, for locums who would consider themselves dormant, and will take appropriate steps for the records we find,” Mr Ellett said.

Well “continuing to work with ICO”

Well has contacted the “majority of affected data subjects” by email or post, and will “continue to make further attempts where mail has been returned to sender”, Mr Ellett said.

The multiple has taken steps to reduce the risk of another, similar incident occurring, he added.

“Well Pharmacy continues to work with the Information Commissioner’s Office (ICO) in respect of the breach, and have been completely transparent about the findings of our investigation.

“We appreciate that the ICO is dealing with a large volume of work following the implementation of the General Data Protection Regulation, and we will respond to any actions they recommend,” Mr Ellett added.

Have you received an email from Well?

Ghengis Pharm, Locum pharmacist

I haven't worked for them for at least 15 years and yet I got the letter !

Leon The Apothecary, Student

I wonder if the Australian lottery company has gotten in touch with them yet, I'm sure they are eager to buy.

This shows another level of incompetence in the company, a level that many of us in the know would echo in our opinion. A lack of structure, coordination, and corporate competition for the top salaries leave me personally wondering if they remember why pharmacies exist in the first place?

Rachael Clarke, Superintendent Pharmacist

As the Superintendent for the newly formed Co-op Health (part of Co-op Group) and having previously been employed by both The Co-operative Pharmacy (the trading name of Well when it was part of The Co-operative Group before the pharmacy business was sold to Bestway) and Well, I would like to clarify that Well and Co-op are entirely separate organisations and do not share any ongoing trading relationship. This article is discussing a data breach by Well.

C A, Community pharmacist

If the data is up to seven years old, some of it my be Co-op data...

Richard Binns, Primary care pharmacist

I would argue that my data that has been unlawfully released was in relation to my activities working for 'Co-op' Pharmacy, I have never undertaken any work for Well Pharmacy. The previous co-op group who where responsible for the handling of my sensitive data  (from 2008) are responsible for placing that data in the hands of Well pharmacy who have commited the breach.

While I accept your statement highlighting that you are a different co-operative group from the organisation responsible for the handling of my data, I am sure the ICO is also capable of making that distinction before passing judgment.

I cannot see any direct reference towards your group in any of the comments on here 

Rachael Clarke, Superintendent Pharmacist

Hi Richard, in your comment below you refer to being contacted by Well/Co-op. This is not factually correct. You have been contacted by Well which is an entirely separate business to Co-op. 

Richard Binns, Primary care pharmacist

sorry for the misunderstanding, for clarities sake; I was contacted by Well in relation to sensitive information obtained and stored by Co-op pharmacy, which was leaked into the public domain by Well.


Graham Turner, Non Pharmacist Branch Manager

LOL. Rachael Clarke it seems you were a superintendent at co-op and then well. Does this mean that if you change the company name or get taken over, you are absolved from any failings you made before?

Sorry about Stockport, not the best place in the world.

Rachael Clarke, Superintendent Pharmacist

Hi Graham, I am Superintendent of Co-op Health, formed in 2018 not The Co-operative Pharmacy or Well. 

Leon The Apothecary, Student

Ms Clarke would do well to remember that the internet has a long memory. And the new co-op movements have not been unnoticed.

Advanced Dispensing was a bit of a disaster, wasn't it? InvaTech getting shafted and those mass redundancies in Bristol?

Don't blame anyone for jumping ship and starting afresh...with an old name.

Susan M Shepherd, Community pharmacist

I have not worked for the co-op as was for over 12 years, yet still received two letters telling me my data had been leaked.

N O, Pharmaceutical Adviser

Why don't you all ex-pharmacists/locums who have received these emails/letters and worked more than 7 years ago, complain directly to the ICO with the evidence?? This way, the company cannot escape.

Garry Sykes, Industrial pharmacist

I have

Graham Turner, Non Pharmacist Branch Manager

Over 24000 people's details is an absolute disgrace, they should be MASSIVELY fined by the information commissioner for this. A suitable fine might convince other pharmacy chains (no guessing who I'm talking about here) to update their hardware and hopefully prevent this from happening again, rather than "just hoping it doesn't" and not spending any money.

A harsh financial penalty is probably the only thing that some of these chains will pay attention to.

Sam Pharmacist, Community pharmacist

Somebody is telling porkies. I received a letter from Well saying my data had been accidentally leaked. Now I haven’t locum since 2002. That’s now 16 years ago

Ben Merriman, Community pharmacist

This is truly appalling, I am just livid. Giving confidential data away and not selling it? #Pharmacy2U

Ashley Cohen, Community pharmacist

I have not worked for the Co-op for over 14 years, yet I received a letter saying my data was compromised about the breach of information. Come on Well / C&D come clean as to the scale, size of this breach. 

Lucky Ex-Boots Slave, Primary care pharmacist

GPhC where are you? Look at this massive data breach according to the GDPR regulation. You are turning a blind eye YET AGAIN on unlawful things like this just because they are big multiples?

C A, Community pharmacist

Has anyone asked the GPhC for their opinion on Well's "fitness to practice"?

Graham Turner, Non Pharmacist Branch Manager

You should know very well by now, that the GPhC only goes after individual pharmacists, because they are easy pickings. They will not touch the big multiples no matter what they do, because they are scared of the amount of work and the fact that they may get shown up by a corporate legal team. I would also not be surprised if they have some kind of clandestine realtionship, it certainly would explain a lot.

Garry Sykes, Industrial pharmacist

Same here, 2009 

Angharad Jones, Pharmacy technician

I left in 2010!

Richard Binns, Primary care pharmacist

I was contacted by Well/CoOp regarding this breach, I havent worked for them since 2008, I think that constitutes more than 7 years

Kevin Murphy, Superintendent Pharmacist

Same here, I did my pre-reg with National Co-op in 2005 and locumed for them for a bit after! So they are telling porkies!

Job of the week

Pharmacist Manager
Midlands, Cheshire & Dorset
Salary dependent upon experience