UK's largest pharmacy fined for selling personal data to scam artists

21 October 2015

email The biggest online pharmacy in the UK has been slapped with a £130,000 fine after they sold patients' personal data to scammers. Those scam artists then targeted people who are vulnerable and sick, which is just great.

Pharmacy2U (P2U) was hauled in by the Information Commissioner's Office (ICO) after it was discovered that they'd been giving names and contact details for people who had bought prescriptions and remedies from their site, through their Alchemy Direct Media company. It turns out they'd illegally sold the personal data of more than 21,000 NHS patients and P2U customers.

You're supposed to get people's permission before you sell their personal data - they did not.

It might be an idea to run a quality control over who you're selling it to, which this lot clearly didn't do, as one of the companies that bought the data were lottery fraudsters, who then went after pensioners with chronic health conditions.

Over 100,000 customer details were advertised for sale on the database, which actually broke people down into categories, such as detailing which people had Parkinson's disease, or which ones were over 70.

ICO deputy commissioner David Smith said: "Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish."

"Once people's personal information has been sold on once in this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details."

"Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable"

Daniel Lee, managing director of P2U, said: "This is a regrettable incident for which we sincerely apologise. While we are grateful that the ICO recognises that our breach was not deliberate, we appreciate this was a serious matter. As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed. We have also confirmed that we will no longer sell customer data."

"We take our responsibilities to the public very seriously and want to reassure our customers that no medical information, email addresses or telephone numbers were sold. Only names and postal addresses were given, for one-time use."

"Following this incident, we have changed our privacy policy to highlight that we will no longer sell customer data and have implemented a prior consent model for our own marketing. We hope that this substantial remedial action will reassure our customers that we have learned from this incident and will continue to do all we can to ensure that their data is protected to the highest level."

TOPICS:   Privacy   Scams

What do you think?

Connect with Facebook, Twitter, or just enter your email to sign in and comment.

Your comment