Pharmacy2U has been making the headlines for all the wrong reasons of late. First came the revelations in October of the sale of its patient data, and then the delay in medicines deliveries over Christmas, which resulted in a special General Pharmaceutical Council inspection.
It is easy to think these examples of bad practice have no relevance to ethical pharmacy businesses. But the Information Commissioner’s Office (ICO) decision to fine Pharmacy2U £130,000 for breaching the Data Protection Act has important lessons for all pharmacies, including those without an online business.
Pharmacy2U sold data to an Australian lottery company, which specifically asked for records of males aged over 70. It used the list to mailshot people, saying they had been "specially selected" to "win millions of dollars". Unbeknownst to Pharmacy2U, the lottery company was the subject of an international investigation into fraud and money laundering.
Another list was sold to a business that sells health supplements and which had previously been found to have published misleading advertising and unauthorised health claims.
The purchasers were told the lists included patients suffering from conditions that included high blood pressure, heart disease, epilepsy, erectile dysfunction, haemorrhoids and hair loss. The ICO decided that the Data Protection Act had been breached because personal data had been obtained unfairly – customers had not given informed consent to the sale of their details.
The ICO found that substantial damage or distress would be caused, because Pharmacy2U advertised their service as "discreet and confidential", and some people might be extremely worried that a third party could surmise that he or she was suffering from an embarrassing health condition. People who received marketing material about health supplements might buy something they read about in a misleading advertisement and use it instead of their prescribed medication.
The lottery company had targeted people it had identified as elderly and vulnerable, and ticket purchasers might have incurred serious financial loss.
The IC ruled that even though the breaches of the Data Protection Act were not deliberate, it should have been obvious to Pharmacy2U that substantial distress or loss would be caused.
The level of fine indicates the seriousness with which health-related data breaches are viewed. Online businesses should review their privacy policies, and all pharmacies should be mindful of how patient data is used. Even if data can lawfully be sold, it makes sense to find out how the data will be used, and consider whether the use would cause patients distress or loss.
David Reissner is senior healthcare partner at law firm Charles Russell Speechlys ([email protected])