A major online pharmacist has been fined £130,000 by the information commissioner for selling on the data of more than 20,000 patients to secondary marketing companies, which is likely to have resulted in patients having ‘suffered financially’.
The Information Commissioner’s Office (ICO) today fined Pharmacy 2U for failing to inform customers of their intention to sell on their names and postal addresses through an online marketing list company, and for selling it without consent, in contravention of the Data Protection Act.
While the company says medical details were not passed on, it has not been able to notify the customers affected because it ordered the ‘certified destruction’ of their names when the breaches came to light.
The companies who bought Pharmacy 2U customer data, include a health supplements company that has been cautioned for misleading advertising and unverified health claims.
It also included an Australian lottery company under investigation by Trading Standards and which an ICO investigation said ‘appeared to have deliberately targeted elderly and vulnerable individuals, and it is likely that some customers will have suffered financially as a result of their details being passed on’.
The breaches were partly identified as part of a Daily Mail investigation into list marketing companies targeting vulnerable individuals.
Pharmacy 2U has said that it undertook due diligence of companies buying data, but there was no publicly available information about questionable trading practices at the time.
The company ‘sincerely apologised’ for the breach, and said that as soon as it was made aware of the breach it ‘stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed’.
Daniel Lee, managing director of Pharmacy 2U, said: ‘This is a regrettable incident for which we sincerely apologise.
‘While we are grateful that the ICO recognise that our breach was not deliberate, we appreciate this was a serious matter… We have also confirmed that we will no longer sell customer data.’
A spokesperson told Pulse: ‘As soon as the issue was brought to our attention, we ordered the certificated destruction of all the names and addresses that had been sold. For that reason, we are unable to contact individual patients.’
ICO deputy commissioner David Smith said: ‘Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable.
‘Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.’