Giant UK Pharmacy Fined For Selling Patient Data To Scammers

from the well,-well... dept

Lots of people talk about internet companies “selling” user data, and in many cases it’s massively exaggerated. Often, what people think is selling data is something else entirely, such as targeted advertising, where no information goes back to the advertiser. For example: just try to go to Facebook or Google and “buy” someone’s data. It can’t be done. You can place ads against certain profiles or keywords, but you don’t get back any data about the people who are being advertised to. That’s not “selling” their data. However, that doesn’t mean that some companies aren’t selling people’s data, and doing so in sketchy ways. And it appears that the UK’s largest online pharmacy, Pharmacy2U, has now been been fined £130,000 not just for selling patient data, but for selling it to scammers.

The details show that Pharmacy2U did a deal with a marketing firm called Alchemy Direct Media to “rent” its customer list, and they seemed to not just reveal all sorts of private information about patients, but to then directly sell it to scam operations:

The Pharmacy2U database lists were advertised for rental on the Alchemy website. The data card for Pharmacy2U states that the data includes 77,621 0-12 month ?buyers? and 36,207 13-24 month ?buyers?. It also states that buyers include NHS patients, Pharmacy2U online patients and Pharmacy2U retail customers. It lists typical ailments that are treated including asthma, high blood pressure, diabetes, heart disease, high cholesterol, Parkinson’s disease, epilepsy, erectile dysfunction, hair loss, weight loss, travel health, skin conditions, pain, migraine, cold and flu and nicotine replacement for smoking cessation. It also includes an age breakdown which shows that 82% of the buyers are over the age of 40. The cost is listed as ?130 per 1000 records.

In November and December 2014, Alchemy supplied a total of 21,500 Pharmacy2U customers? names and addresses to three organisations: Griffin Media Solutions, an Australian lottery company (?the lottery company?) and Camphill Village Trust Ltd.

On 20 November 2014, Griffin Media Solutions ordered 13,000 records on behalf of its client Woods Supplements (10,000 records plus a 30% oversupply to allow for duplicates). The data related to customers who had used Pharmacy2U within the previous 12 months. The order was approved by a senior executive of Pharmacy2U.

Woods Supplements is a trading name of Healthy Marketing Ltd, a Jersey-based mail order company. It sells health supplements to the general public via its website ( and through mail order catalogues. Users of the website can search for an ailment (e.g. high blood pressure, high cholesterol, erectile dysfunction) and receive a list of recommended products. Some of the product descriptions highlight the side effects of the commonly prescribed drugs whilst stating that their products have fewer or no side effects.


On 9 December 2014, the lottery company ordered 3,000 records relating to males aged 70 or over who had used Pharmacy2U within the previous 6 months. The lottery company provided a copy of the proposed mailer and a corporate profile pack to Pharmacy2U which included a copy of their mail order lottery licence and a letter from the Northern Territory Government.

The mailer was headed ?Declaration of Executive Order? and went on to say that the recipient had been ?specially selected? to ?win millions of dollars?. The mailer contained a form which recipients were asked to complete and return within seven days along with payment of an unspecified sum of money by cash, postal order, cheque or credit card. The form also requested date of birth, email address, telephone number and mobile number.

A senior executive of Pharmacy2U approved the order with the words ?OK but let?s use the less spammy creative please, and if we get any complaints I would like to stop this immediately?. The data was sent to Australia.

Yes, it seems pretty clear the Pharmacy2U exec knew exactly what was going on, but still approved the sale of the data. “Let’s use the less spammy creative please” is pretty damning. As ICO’s deputy commissioner David Smith noted in a statement, it’s somewhat astounding that Pharmacy2U didn’t realize that it shouldn’t be selling patient data:

ICO deputy commissioner David Smith said: “Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.

“Once people’s personal information has been sold on once in this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details.”

And, of course, Pharmacy2U put out a bland PR/lawyer-approved statement that is ridiculous on its face:

Daniel Lee, managing director of P2U, said: “This is a regrettable incident for which we sincerely apologise. While we are grateful that the ICO recognises that our breach was not deliberate, we appreciate this was a serious matter.

“As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed. We have also confirmed that we will no longer sell customer data.

“We take our responsibilities to the public very seriously and want to reassure our customers that no medical information, email addresses or telephone numbers were sold. Only names and postal addresses were given, for one-time use.

“Following this incident, we have changed our privacy policy to highlight that we will no longer sell customer data and have implemented a prior consent model for our own marketing. We hope that this substantial remedial action will reassure our customers that we have learned from this incident and will continue to do all we can to ensure that their data is protected to the highest level.”

Not deliberate? Only in the most narrow sense. The Information Commissioner’s Office notes that Pharmacy2U was negligent in its actions, and “ought to have known that its customers had a reasonable expectation of confidentiality” in doing this. It also noted that “the senior executive of Pharmacy2U must have known” that people wouldn’t like the sale of their data, because of his statement about the “less spammy creative” as well as the warning that “if we get any complaints I would like to stop this immediately.” The report also notes that Pharmacy2U must have known substantial damage would likely occur: “it should have been obvious to Pharmacy2U that such a contravention would be of a kind likely to cause substantial damage or substantial distress to the affected individuals.” In addition, the Commissioner found that Pharmacy2U “failed to take any” of the necessary steps to prevent this from happening.

However, despite all of that, the ICO still said that this was not “deliberate” because it did not appear that Pharmacy2U deliberately tried to violate the Data Protection Act. It was just negligent in doing so.

To be honest, the actual fine here seems like a slap on the wrist for something so blatant. Again, lots of people think that every company out there is “selling their data,” but it’s very rarely the case. Unfortunately, it’s likely that the perception that everyone is selling everyone’s data contributed to this ridiculous situation in which actual data (including private medical information) was actually being sold.

Filed Under: , , , , ,
Companies: pharmacy2u

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Giant UK Pharmacy Fined For Selling Patient Data To Scammers”

Subscribe: RSS Leave a comment
orbitalinsertion (profile) says:

Slap on the wrist, indeed

Fines don’t fix anything for any victims, which is another problem. But really, fines for business when one out of a million is taken to court and actually has a judgement against it, should be damaging. Fines should hurt. And really, some of the behaviors for which companies might be fined, they actually should be incarcerated by some method. Particularly since, hey, they are fooken persons, right?

That One Guy (profile) says:

Re: Re: Slap on the wrist, indeed

Start with the amount gained through illegal action, and then multiply it based upon the severity of the crime.

Something ‘minor’ might get a 1.5 multiplier, so they pay 150% of what they gained, while a more serious crime would get something like a 2x or 3x multiplier applied, so they pay twice or three times what they gained. No matter how ‘minor’ it is though, the multiplier would never drop below 1x, so at the very least they would be fined an amount equal to how much they gained, utterly eliminating the financial gain.

Anonymous Coward says:

Real punishment...

…would include – as already mentioned – license suspensions and should include asset forfeiture, including the entire business if willful. Courts should also grow some guts and demand a public admission of wrongdoing, something that is currently being avoided. Monetary sanctions mean nothing to a business especially if the business can be reimbursed by an insurance claim or can write off the sanction as a tax deduction.

That One Guy (profile) says:


A fine that pathetically small is purely for symbolic reason, and in this case the message being sent is pretty clear. ‘Sell all the customer data you want, even if you get caught you’ll still come out ahead’.

Rulings like this are why companies feel so safe pulling these kinds of stunts, because they know that they’ll always come through with more money than they lost, even when they get caught.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...