back to article Online pharmacy slapped with £130,000 fine for flogging customer data

Online pharmacy Pharmacy 2U has been slapped with a £130,000 fine by the Information Commissioner's Office for flogging customers to a marketing company without their consent. The ICO said Pharmacy 2U offered the customer names and addresses for sale through an online marketing list company. The ICO investigation found that …

  1. This post has been deleted by its author

    1. g e

      It's a bit of a struggle

      To work out how it couldn't be deliberate as it was being sold, not ineptly exposed...

      Invoices are particularly fine indicators of 'pretty bloody deliberate' IMHO. I've never 'accidentally' issued one, for sure.

    2. Recaf

      So, ignorance is a defence?

      They're saying that breaking the rules was not deliberate, not that they weren't deliberately selling customer data.

      I always thought ignorance was no defence, but apparently ICO see things differently.

    3. Jim 59

      Flogging customer data. That's a paddlin'.

    4. Doctor Syntax Silver badge

      It sounds like a case of failure to engage brain before setting the mouth in motion,

  2. Pascal Monett Silver badge

    Oh really ?

    “This is a regrettable incident for which we sincerely apologise," said Daniel Lee, managing director, Pharmacy2U, in a statement. "While we are grateful that the ICO recognise that our breach was not deliberate, we appreciate this was a serious matter.

    "As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed," he added. "We have also confirmed that we will no longer sell customer data."

    A regrettable incident ? Oh, getting caught you mean, of course. Yes, quite unfortunate.

    The ICO recognise that the breach was not deliberate ? How nice of your pal over there. So, golf still on next Sunday ?

    You stopped the trial selling of customer data ? You mean, there was a trial ? That had specifically been set up to sell customer data ? And you can say with a straight face that it wasn't deliberate ?

    Somebody call the press, we've found the next PM.

  3. Slartybardfast

    Tweets by Dr Ben Goldacre

    ben goldacre ‏@bengoldacre

    "So: the bloke who makes the GP software that stores your NHS patient records also just flogged NHS data to scammers."

    " EMIS (GP computer system) CEO is director of t'dodgy pharmacy that sold thousands of NHS patients data to fraudsters "

    1. Blip
      Thumb Up

      Re: Tweets by Dr Ben Goldacre

      I highly recommend the book Bad Pharma by Ben Goldacre: which links to:

      I have not connection to him other than to have read a couple of his books.

      1. F0rdPrefect

        Re: Tweets by Dr Ben Goldacre

        And don't forget Bad Science.

        Should be on the mandatory reading list in all schools, and proof of having read it a requisite for all local and national government jobs, including councillors, MPs and MEPs

        Might get a small bit of sense into the world if it was.

  4. Anonymous Coward
    Anonymous Coward

    And this was a 'legitimate' online pharmacy recommended by the NHS.

    I dread to think what the offshore grey market purveyors of prescription uppers, downers and hormones are like.

    1. TitterYeNot

      Re: And this was a 'legitimate' online pharmacy

      " recommended by the NHS."

      A £130,000 fine? No. I don't think so.

      Removal from NHS England pharmaceutical lists for a few months (so that they can't legally dispense NHS prescription drugs) till they have demonstrated that they have the procedures in place to ensure that this never, ever happens again?

      Yes. Oh very much yes.

      And they wonder why we worry about

      1. Anonymous Coward
        Anonymous Coward

        Re: And this was a 'legitimate' online pharmacy

        Removal from NHS England pharmaceutical lists for a few months

        Sadly not within the remit of the ICO. However, it would be within the remit of the General Pharmceutical Council who routinely suspend pharmscists registration for misconduct, and a quick gander at the GPC's standards of conduct suggest that this shower could be held to be in breach of clauses 2.2, 3.5, 3.7, 6.5 and 6.6.

        It seems a bit much to hope that the GPC will see this and be proactive, but any affected customers might care to report them.

        1. nsld

          Re: And this was a 'legitimate' online pharmacy

          Reporting form for the GPC

          1. F0rdPrefect

            Re: Reporting form for the GPC

            Thanks for that.

            Completed and submitted.

            Suggest other UK readers do the same

  5. Slx


    Nobody expects their details to be sold and certainly not by a healthcare provider!

  6. nsld


    He didnt get consent, he deliberately sold data without the consent, the ICO has fined him but it was an "oversight" on his part and when he got caught he had to stop?

    This is why the ICO needs to be given powers to imprison people like this cockwomble.

    As for any NHS contracts they should go immediately, selling sensitive personal information of people with medical conditions is the worst kind of breach.

    1. nichomach

      Re: So

      That presumes the ICO would exercise them, which they wouldn't. These are the incompetent lackadaisical fucknuggets that did precisely *nothing* about Phorm, remember.

      1. Anonymous Coward
        Anonymous Coward

        Re: So

        To be fair there was bugger all they could do about Phorm as they didn't have the powers to act then in the way they can now.

        I'm all for kicking my former employer when necessary but it's a bit harsh to criticise them for something they couldnt do.

        Oh and as for jail sentances the possibility is there in the revised legislation, it just needs 'Call me Dave' and his bunch of cronies to sign it off. Something they and their predecessors have been consciensciously avoiding for the last few yrs.

  7. Mephistro Silver badge

    "...£130,000 fine..."

    I doubt the amount fined will serve as a deterrent, as it's probably less than what they earned selling the data. Seriously, I can't understand why criminal law is not involved in this case.

  8. graeme leggett

    translation quiz - pick one

    "As soon as the issue was brought to our attention, we stopped the trial selling of customer data "

    can be translated as:

    a) Once we realised the game was up....

    b) Once someone told us something we ought to already have known was wrong....

    c) Back pedal! Back pedal!

    d) all of the above

    1. F0rdPrefect

      Re: translation quiz - pick one


      and e) Oh Shit!

  9. n3wt

    And if you read the actual judgement...

    ... it's all very disturbing. The "not deliberate" is as in the company did not deliberately set out with the express purpose of breaching the DPA. The ICO found that they were negligent in that particular sense but the sale was deliberate and they knew they were selling to spammers.

    So... not idiots, just scum.

    1. Anonymous Coward
      Anonymous Coward

      Re: And if you read the actual judgement...

      The "not deliberate" is as in the company did not deliberately set out with the express purpose of breaching the DPA.

      Well, that is just about the weakest excuse ever. I didn't actually set out to kill this man by shooting him, I was just making a hole in his head, m'lurd. That he died was nothing but an unfortunate side effect..

  10. Smooth Newt Silver badge

    £130k fine, err £104k

    "If the Commissioner receives full payment of the monetary penalty by 13 November 2015 the Commissioner will reduce the monetary penalty by 20% to £104,000

    However, you should be aware that the early payment discount is not available if you decide to exercise your right of appeal."

    Why do they need to give an early payment discount? Doesn't the ICO have enough for Christmas shopping?

    1. Synonymous Howard

      Re: £130k fine, err £104k

      Processing of an appeal by ICO probably costs a lot more than £26k I guess ... Hence the offer as it saves the tax payer in a roundabout way(ish)?

  11. Tezfair

    probably not the only ones

    I know for a fact that Travis Perkins has sold my details, I made an online enquiry but put me down as Dr rather than Mr, now I get loads of postal junk. All good for the bonfire :)

  12. Trigonoceps occipitalis


    "our breach was not deliberate"

    Philosophy 101

    Saying it doesn't make it so.

  13. mcpharm

    Doesn't surprise me. 130k will sting them but ICO needs to look at EMIS

    I work in the sector .. P2U has had ALOT of money sunk into it waiting for the advent of electronic prescriptions which they were the original prime mover on - pitching to the blair gov in the early noughties. They are still bleeding money 15yrs on and am sure there is pressure from EMIS and EMIS shareholders who are also P2U shareholders to make some damn money finally. The ICO needs to look the relationship with P2U and EMIS I would be more worried about the fact the EMIS own over 1/5th of the stock, have board seat and that one of the big shareholders in EMIS is also a P2U investor. EMIS provide the patient record software to 54% of all english GPs.

    For the last year they have been leafleting patients of every GP in England after the surgery converts to electronic prescriptions. Magically, patients registered to EMIS surgeries get these leaflets weeks before patients registered to non EMIS surgeries do .. both EMIS and P2U have denied anything improper ... hmm, cough, splutter, bulls**t.

  14. Anonymous Coward
    Anonymous Coward

    Chemist Direct?

    Are this lot anything to do with Chemist Direct?

    They clearly have a data leakage problem. I'm one of those boring people that uses specific email addresses for different organisations. The one I used with ChemistDirect has apparently been made available outside ChemistDirect and now gets spammed. None of my others appear to have leaked. Emails to them on this subject are not acknowledged and the phone sales team say "send an email".

    Avoid. And spread the word.

    1. Doctor Syntax Silver badge

      Re: Chemist Direct?

      "The one I used with ChemistDirect ... now gets spammed"

      So just discontinue it & let the spam get bounced. It's one of the reasons for using separate addresses.

      1. Anonymous Coward
        Anonymous Coward

        Re: Chemist Direct?

        "So just discontinue it & let the spam get bounced."

        Done long ago, but as the police are now magically supposed to be interested in cybercrime (after years of neglect), shouldn't I be reporting it to the police?

    2. Anonymous Coward
      Anonymous Coward

      Re: Chemist Direct?

      Likewise I get spam to the address I used with Chemist Direct. Tried contacting them about it and no response (unlike another organisation who took such a report seriously).

      Not a company I'll deal with now.

    3. F0rdPrefect

      Re: Chemist Direct?

      Don't email.

      Write, recorded delivery to the MD.

      Details available FOC from the Companies House Beta site.

  15. Dr Potatohead

    How would we find out...

    ...if we were one of the people who's data had been sold so we can report them?

  16. s. pam

    So what happens?

    If you've actually bought something from these c-nuts? I bought some stop smoking thingies from them. So are my personal details out in the wild, and if so what's my reward?

    Seems to me a years free Experian would be a good start!

    1. Adam 52 Silver badge

      Re: So what happens?

      Experian is never good, free or not. Ask youself who is the biggest private seller of personal data in the UK and why you'd want to voluntarily give them anything.

  17. teebie

    It seems that the fines for privacy violations or financial wrongdoing are usally so small relative to the amount earnt for the crime that they are just a cost of business, and not an effective deterent.

    According to ICO "records were advertised for sale for £130 per 1000 records.", so unless there were a million sales (say, each of the 100,000 customers advertised 10 times each), the fine is big enough that the crime wasn't financially worth it. That's refreshing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020