UPDATED - 'Poisonous' online pharmacy Pharmacy2U fined by ICO for illegally selling NHS patient data

UK's largest online pharmacy is 20 per cent owned by biggest provider of GP IT systems in England

The Information Commissioner's Office has fined Pharmacy2U, the UK's largest online pharmacy company, a total of £130,000 for illegally selling customer details and breaching the Data Protection Act.

It comes shortly after the ICO launched an investigation into similar illegal data sharing in the charity sector.

Pharmacy2U - which is 20 per cent owned by EMIS, the single largest provider of GP IT systems across England - offered information about customer names and addresses for sale through an online marketing list company.

The details were purchased by a number of other organisations with questionable records. Those included a health supplements company that has been cautioned for misleading advertising and an Australian lottery company subject to investigation by Trading Standards.

An ICO investigation found that Pharmacy2U hadn't given customers any indication that it intended to sell their private details and that the customers hadn't provided permission for the information to be sold. That meant Pharmacy2U was in breach of the Data Protection Act.

"Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable," said ICO Deputy Commissioner David Smith.

"Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish," he continued.

"Once people's personal information has been sold on once in this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details," Smith added.

The report of the ICO investigation states that it was deemed "appropriate" to issue a monetary penalty due to the "the nature and seriousness of the contravention" and Pharmacy2U's "shortcomings in terms of its DPA duties and the risks posed to a number of individuals".

In total, Pharmacy 2U advertised over 100,000 customer details for sale, with the online database detailing what conditions people were suffering. Specific breakdowns of types of customer were offered for sale for £130 per 1,000 records, representing a massive breach of privacy.

The initial complaint to the ICO about Pharmacy2U was made by medical confidentiality campaign group medConfidential. However, the organisation has been left surprised by the scale at which Pharmacy 2U was disregarding patient confidentiality.

"When medConfidential made a complaint to the Information Commissioner on behalf of patients who were being marketed, we'd no idea the trade in their data was as murky as this," said Phil Booth, coordinator of medConfidential.

"Vulnerable people shouldn't be exposed to this sort of harm and distress, but what's doubly appalling is that this was done by the largest NHS-approved online pharmacy in the country, which is part-owned by the company that provides a majority of GPs with their medical records systems," he continued.

Booth argued that the government "has to act decisively" to combat the sort of activity Pharmacy2U has engaged in.

"Six-figure fines alone won't stamp out this poisonous trade; not when there's so much profit to be made. There must now be a blanket, statutory ban on all marketing to patients," he said.

"Those who profiteer from patients' data are predators and should face prison when they are caught," Booth concluded.

Booth has previously criticised NHS plans to hand over medical records to high street retailers.

"These are commercial organisations, large chains, who are looking for opportunities to make money. If you give them access to all this medical information it is irresistible to them to use it," he said.

UPDATE: In a statement issued to Computing, Pharmacy2U said: "This is a regrettable incident for which we sincerely apologise."

Managing director Daniel Lee explained and that there was "no publicly available information" to suggest the lottery company or health firm were involved in suspected wrongdoing.

"While we are grateful that the ICO recognise that our breach was not deliberate, we appreciate this was a serious matter. As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed," said Lee, who confirmed that Pharmacy2U will no longer sell customer data.

"Following this incident, we have changed our privacy policy to highlight that we will no longer sell customer data and have implemented a prior consent model for our own marketing. We have also worked with the Plain English Campaign to make our policies as clear as possible to our customers," he explained.

"We hope that this substantial remedial action will reassure our customers that we have learned from this incident and will continue to do all we can to ensure that their data is protected to the highest level," Lee concluded.