UK's Biggest Online Pharmacy Fined For Selling NHS Patients' Data To Spammers

    Pharmacy2U, which is part-owned by a company that supplies medical record software to general practitioners' offices, has been hit with a £130,000 fine for "negligent" failure to protect data.

    ThinkStock

    The largest online pharmacy in the UK has been fined £130,000 by the Information Commissioner's Office (ICO) for selling personal data from more than 20,000 NHS patients, many of them vulnerable, to spammers.

    The data was sold to a lottery firm under investigation for fraud and money laundering, and a health supplement company which has been censured for making false claims. Further, the pharmacy is part-owned by a company which supplies medical record-keeping software to GP surgeries.

    Pharmacy2U, which issues prescription drugs to hundreds of thousands of NHS patients across the UK, used a direct marketing company called Alchemy Direct Media to advertise and sell the data it held on patients. The data was sold at £130 for 1,000 records, or a little less than 8p per patient. The sale was first reported in the Daily Mail in March.

    Pharmacy2U is 20% owned by EMIS, which runs patient.info, the "UK's leading health website", and is the "leading supplier of clinical systems for GPs". According to EMIS, its GP software "enables secure, shared access to a patient's electronic health record and currently has over 60,000 GP practice users per week". A non-executive director of Pharmacy2U, Chris Spencer, is the CEO of EMIS.

    The Alchemy website said that the Pharmacy2U data came from patients with health problems including Parkinson's disease, diabetes, erectile dysfunction, high blood pressure, and high cholesterol. The data for sale included contact details and date of birth. While it did not, apparently, include specific medical records, buyers were aware that the data they were buying came from people who were more likely to have certain conditions.

    In a judgment, the ICO called it a "serious contravention" of the Data Protection Act and issued it a monetary penalty of £130,000 for negligence.

    One company which bought 3,000 records — specifically asking for males aged 70 or over — was a lottery company based in Australia which sends letters claiming that the recipient has been "specially selected" to win "millions of dollars", and asking them to send money to get their winnings. According to the ICO, the National Trading Standards scams team has said that if such a letter "was sent by a UK business it would be likely to breach the UK Consumer Protection from Unfair Trading Regulations", and the company is under criminal investigation.

    A senior executive of Pharmacy2U apparently approved the data sale, saying in an email: "OK but let's use the less spammy creative please, and if we get any complaints I would like to stop this immediately." The ICO says that this shows that the executive "must have known that there was a risk that people may object to the sale of data to the lottery company".

    A further 13,000 records were sold to Griffin Media Solutions, on behalf of a company called Woods Supplements, which sells products which claim to treat diseases including erectile dysfunction, high blood pressure, and high cholesterol. Woods Supplements' parent company, Healthy Marketing, has previously been censured under advertising laws for "misleading advertising" and "unauthorised health claims".

    The remaining records were sold to a charity which used the contact details to solicit donations.

    Ben Goldacre, a medical doctor and journalist behind the AllTrials campaign which lobbies for transparency in medical research, told BuzzFeed News on Tuesday that the sale of the data was "particularly seedy when you look at who bought it, people who were trying to target vulnerable individuals with a financial scam".

    "Pharmacies like Pharmacy2U are part of the healthcare family," he added. "They're in the club of people who you'd expect to be absolutely meticulous, rigorous, and perfect about how they manage your data. We don't expect to find them advertising it for sale online at 8p a patient, boasting about how unwell you all are. It's really, really seedy."

    He added that Pharmacy2U is "not just any old company, it's one with a huge link to patient data", because of the stake held by EMIS.

    When contacted by BuzzFeed News, a Pharmacy2U spokesman said: "EMIS Group has absolutely no connection to the issue raised by the ICO. Pharmacy2U and EMIS Group are two entirely separate businesses. While EMIS Group has a minority shareholding in Pharmacy2U, it has no involvement in the day-to-day running of the business."

    When contacted by BuzzFeed News, Spencer, the non-executive director of Pharmacy2U and the CEO of EMIS, said: "EMIS Group takes today’s ICO decision very seriously indeed. The decision by Pharmacy2U to sell data was made without my personal knowledge or authority as a non-executive Pharmacy2U board member, or that of anyone at EMIS Group PLC."

    Daniel Lee, managing director of Pharmacy2U, said in a statement: "This is a regrettable incident for which we sincerely apologise." He went on to say: "As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed. We have also confirmed that we will no longer sell customer data."

    CORRECTION

    Chris Spencer is a non-executive director of Pharmacy2U. A previous version of this post misstated his job title.

    Tom Chivers is a science writer for BuzzFeed and is based in London.

    Contact Tom Chivers at tom.chivers@buzzfeed.com.

    Got a confidential tip? Submit it here