Pharmacy fined for selling older people's data to lottery hoaxers

Thousands of older and vulnerable people’s confidential data has been sold on to fraudsters by a pharmacy.

The UK's largest NHS-approved online pharmacy Pharmacy 2U has been fined £130,000 by the Information Commissioner’s Office (ICO), for selling the names and addresses of more than 20,000 people who bought medicines from it and offering for sale the personal data of more than 100,000 customers.

Breakdowns of customers, such as men over 70 years old, were up for sale without customers’ consent.

ICO investigators found that the lottery company in Australia buying the customer records ‘deliberately targeted elderly and vulnerable individuals and it is likely that some customers will have suffered financially as a result of their details being passed on’.

Customers with Parkinson’s disease were among those targeted. The pharmacy charged £130 per 1000 records until it was investigated by the ICO for breaching the Data Protection Act.

ICO Deputy Commissioner David Smith said: “Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable.

"Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.

“Once people’s personal information has been sold on once in this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details.”

Pharmacy2U is registered with the General Pharmaceutical Council and the Care Quality Commission. The pharmacy’s electronic prescription service allows NHS patients to register to have their NHS prescriptions sent to Pharmacy2U electronically and delivered to their home address.

It offers the online sale of medicines and also provides an online doctor service, offering confidential online medical consultations with a UK registered GP.

Daniel Lee, managing director of Pharmacy2U, said: “This is a regrettable incident for which we sincerely apologise. While we are grateful that the ICO recognise that our breach was not deliberate, we appreciate this was a serious matter.

"As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed.

“We have also confirmed that we will no longer sell customer data.

“We take our responsibilities to the public very seriously and want to reassure our customers that no medical information, email addresses or telephone numbers were sold. Only names and postal addresses were given, for one-time use.

“As a responsible company, we undertook due diligence to check that the organisations intending to use the data were reputable. There was no publicly available information at the time to suggest that the lottery company was suspected of any wrongdoing.

“Following this incident, we have changed our privacy policy to highlight that we will no longer sell customer data and have implemented a prior consent model for our own marketing.”