Giant UK Pharmacy Fined For Selling Patient Data To Scammers

Scams

from the well,-well... dept

Lots of people talk about internet companies “selling” user data, and in many cases it’s massively exaggerated. Often, what people think is selling data is something else entirely, such as targeted advertising, where no information goes back to the advertiser. For example: just try to go to Facebook or Google and “buy” someone’s data. It can’t be done. You can place ads against certain profiles or keywords, but you don’t get back any data about the people who are being advertised to. That’s not “selling” their data. However, that doesn’t mean that some companies aren’t selling people’s data, and doing so in sketchy ways. And it appears that the UK’s largest online pharmacy, Pharmacy2U, has now been been fined £130,000 not just for selling patient data, but for selling it to scammers.

The details show that Pharmacy2U did a deal with a marketing firm called Alchemy Direct Media to “rent” its customer list, and they seemed to not just reveal all sorts of private information about patients, but to then directly sell it to scam operations:

The Pharmacy2U database lists were advertised for rental on the Alchemy website. The data card for Pharmacy2U states that the data includes 77,621 0-12 month ?buyers? and 36,207 13-24 month ?buyers?. It also states that buyers include NHS patients, Pharmacy2U online patients and Pharmacy2U retail customers. It lists typical ailments that are treated including asthma, high blood pressure, diabetes, heart disease, high cholesterol, Parkinson’s disease, epilepsy, erectile dysfunction, hair loss, weight loss, travel health, skin conditions, pain, migraine, cold and flu and nicotine replacement for smoking cessation. It also includes an age breakdown which shows that 82% of the buyers are over the age of 40. The cost is listed as ?130 per 1000 records.

In November and December 2014, Alchemy supplied a total of 21,500 Pharmacy2U customers? names and addresses to three organisations: Griffin Media Solutions, an Australian lottery company (?the lottery company?) and Camphill Village Trust Ltd.

On 20 November 2014, Griffin Media Solutions ordered 13,000 records on behalf of its client Woods Supplements (10,000 records plus a 30% oversupply to allow for duplicates). The data related to customers who had used Pharmacy2U within the previous 12 months. The order was approved by a senior executive of Pharmacy2U.

Woods Supplements is a trading name of Healthy Marketing Ltd, a Jersey-based mail order company. It sells health supplements to the general public via its website (www.woodshealth.com) and through mail order catalogues. Users of the website can search for an ailment (e.g. high blood pressure, high cholesterol, erectile dysfunction) and receive a list of recommended products. Some of the product descriptions highlight the side effects of the commonly prescribed drugs whilst stating that their products have fewer or no side effects.

[….]

On 9 December 2014, the lottery company ordered 3,000 records relating to males aged 70 or over who had used Pharmacy2U within the previous 6 months. The lottery company provided a copy of the proposed mailer and a corporate profile pack to Pharmacy2U which included a copy of their mail order lottery licence and a letter from the Northern Territory Government.

The mailer was headed ?Declaration of Executive Order? and went on to say that the recipient had been ?specially selected? to ?win millions of dollars?. The mailer contained a form which recipients were asked to complete and return within seven days along with payment of an unspecified sum of money by cash, postal order, cheque or credit card. The form also requested date of birth, email address, telephone number and mobile number.

A senior executive of Pharmacy2U approved the order with the words ?OK but let?s use the less spammy creative please, and if we get any complaints I would like to stop this immediately?. The data was sent to Australia.

Yes, it seems pretty clear the Pharmacy2U exec knew exactly what was going on, but still approved the sale of the data. “Let’s use the less spammy creative please” is pretty damning. As ICO’s deputy commissioner David Smith noted in a statement, it’s somewhat astounding that Pharmacy2U didn’t realize that it shouldn’t be selling patient data:

ICO deputy commissioner David Smith said: “Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.

“Once people’s personal information has been sold on once in this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details.”

And, of course, Pharmacy2U put out a bland PR/lawyer-approved statement that is ridiculous on its face:

Daniel Lee, managing director of P2U, said: “This is a regrettable incident for which we sincerely apologise. While we are grateful that the ICO recognises that our breach was not deliberate, we appreciate this was a serious matter.

“As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed. We have also confirmed that we will no longer sell customer data.

“We take our responsibilities to the public very seriously and want to reassure our customers that no medical information, email addresses or telephone numbers were sold. Only names and postal addresses were given, for one-time use.

“Following this incident, we have changed our privacy policy to highlight that we will no longer sell customer data and have implemented a prior consent model for our own marketing. We hope that this substantial remedial action will reassure our customers that we have learned from this incident and will continue to do all we can to ensure that their data is protected to the highest level.”

Not deliberate? Only in the most narrow sense. The Information Commissioner’s Office notes that Pharmacy2U was negligent in its actions, and “ought to have known that its customers had a reasonable expectation of confidentiality” in doing this. It also noted that “the senior executive of Pharmacy2U must have known” that people wouldn’t like the sale of their data, because of his statement about the “less spammy creative” as well as the warning that “if we get any complaints I would like to stop this immediately.” The report also notes that Pharmacy2U must have known substantial damage would likely occur: “it should have been obvious to Pharmacy2U that such a contravention would be of a kind likely to cause substantial damage or substantial distress to the affected individuals.” In addition, the Commissioner found that Pharmacy2U “failed to take any” of the necessary steps to prevent this from happening.

However, despite all of that, the ICO still said that this was not “deliberate” because it did not appear that Pharmacy2U deliberately tried to violate the Data Protection Act. It was just negligent in doing so.

To be honest, the actual fine here seems like a slap on the wrist for something so blatant. Again, lots of people think that every company out there is “selling their data,” but it’s very rarely the case. Unfortunately, it’s likely that the perception that everyone is selling everyone’s data contributed to this ridiculous situation in which actual data (including private medical information) was actually being sold.

Filed Under: .pharmacy, data, health information, scams, selling information, uk
Companies: pharmacy2u