Giant UK Pharmacy Fined For Selling Patient Data To Scammers
from the well,-well... dept
Lots of people talk about internet companies “selling” user data, and in many cases it’s massively exaggerated. Often, what people think is selling data is something else entirely, such as targeted advertising, where no information goes back to the advertiser. For example: just try to go to Facebook or Google and “buy” someone’s data. It can’t be done. You can place ads against certain profiles or keywords, but you don’t get back any data about the people who are being advertised to. That’s not “selling” their data. However, that doesn’t mean that some companies aren’t selling people’s data, and doing so in sketchy ways. And it appears that the UK’s largest online pharmacy, Pharmacy2U, has now been been fined £130,000 not just for selling patient data, but for selling it to scammers.
The details show that Pharmacy2U did a deal with a marketing firm called Alchemy Direct Media to “rent” its customer list, and they seemed to not just reveal all sorts of private information about patients, but to then directly sell it to scam operations:
The Pharmacy2U database lists were advertised for rental on the Alchemy website. The data card for Pharmacy2U states that the data includes 77,621 0-12 month ?buyers? and 36,207 13-24 month ?buyers?. It also states that buyers include NHS patients, Pharmacy2U online patients and Pharmacy2U retail customers. It lists typical ailments that are treated including asthma, high blood pressure, diabetes, heart disease, high cholesterol, Parkinson’s disease, epilepsy, erectile dysfunction, hair loss, weight loss, travel health, skin conditions, pain, migraine, cold and flu and nicotine replacement for smoking cessation. It also includes an age breakdown which shows that 82% of the buyers are over the age of 40. The cost is listed as ?130 per 1000 records.
In November and December 2014, Alchemy supplied a total of 21,500 Pharmacy2U customers? names and addresses to three organisations: Griffin Media Solutions, an Australian lottery company (?the lottery company?) and Camphill Village Trust Ltd.
On 20 November 2014, Griffin Media Solutions ordered 13,000 records on behalf of its client Woods Supplements (10,000 records plus a 30% oversupply to allow for duplicates). The data related to customers who had used Pharmacy2U within the previous 12 months. The order was approved by a senior executive of Pharmacy2U.
Woods Supplements is a trading name of Healthy Marketing Ltd, a Jersey-based mail order company. It sells health supplements to the general public via its website (www.woodshealth.com) and through mail order catalogues. Users of the website can search for an ailment (e.g. high blood pressure, high cholesterol, erectile dysfunction) and receive a list of recommended products. Some of the product descriptions highlight the side effects of the commonly prescribed drugs whilst stating that their products have fewer or no side effects.
On 9 December 2014, the lottery company ordered 3,000 records relating to males aged 70 or over who had used Pharmacy2U within the previous 6 months. The lottery company provided a copy of the proposed mailer and a corporate profile pack to Pharmacy2U which included a copy of their mail order lottery licence and a letter from the Northern Territory Government.
The mailer was headed ?Declaration of Executive Order? and went on to say that the recipient had been ?specially selected? to ?win millions of dollars?. The mailer contained a form which recipients were asked to complete and return within seven days along with payment of an unspecified sum of money by cash, postal order, cheque or credit card. The form also requested date of birth, email address, telephone number and mobile number.
A senior executive of Pharmacy2U approved the order with the words ?OK but let?s use the less spammy creative please, and if we get any complaints I would like to stop this immediately?. The data was sent to Australia.
Yes, it seems pretty clear the Pharmacy2U exec knew exactly what was going on, but still approved the sale of the data. “Let’s use the less spammy creative please” is pretty damning. As ICO’s deputy commissioner David Smith noted in a statement, it’s somewhat astounding that Pharmacy2U didn’t realize that it shouldn’t be selling patient data:
ICO deputy commissioner David Smith said: “Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.
“Once people’s personal information has been sold on once in this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details.”
And, of course, Pharmacy2U put out a bland PR/lawyer-approved statement that is ridiculous on its face:
Daniel Lee, managing director of P2U, said: “This is a regrettable incident for which we sincerely apologise. While we are grateful that the ICO recognises that our breach was not deliberate, we appreciate this was a serious matter.
“As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed. We have also confirmed that we will no longer sell customer data.
“We take our responsibilities to the public very seriously and want to reassure our customers that no medical information, email addresses or telephone numbers were sold. Only names and postal addresses were given, for one-time use.
Not deliberate? Only in the most narrow sense. The Information Commissioner’s Office notes that Pharmacy2U was negligent in its actions, and “ought to have known that its customers had a reasonable expectation of confidentiality” in doing this. It also noted that “the senior executive of Pharmacy2U must have known” that people wouldn’t like the sale of their data, because of his statement about the “less spammy creative” as well as the warning that “if we get any complaints I would like to stop this immediately.” The report also notes that Pharmacy2U must have known substantial damage would likely occur: “it should have been obvious to Pharmacy2U that such a contravention would be of a kind likely to cause substantial damage or substantial distress to the affected individuals.” In addition, the Commissioner found that Pharmacy2U “failed to take any” of the necessary steps to prevent this from happening.
However, despite all of that, the ICO still said that this was not “deliberate” because it did not appear that Pharmacy2U deliberately tried to violate the Data Protection Act. It was just negligent in doing so.
To be honest, the actual fine here seems like a slap on the wrist for something so blatant. Again, lots of people think that every company out there is “selling their data,” but it’s very rarely the case. Unfortunately, it’s likely that the perception that everyone is selling everyone’s data contributed to this ridiculous situation in which actual data (including private medical information) was actually being sold.
Filed Under: .pharmacy, data, health information, scams, selling information, uk
Comments on “Giant UK Pharmacy Fined For Selling Patient Data To Scammers”
Slap on the wrist, indeed
Fines don’t fix anything for any victims, which is another problem. But really, fines for business when one out of a million is taken to court and actually has a judgement against it, should be damaging. Fines should hurt. And really, some of the behaviors for which companies might be fined, they actually should be incarcerated by some method. Particularly since, hey, they are fooken persons, right?
Re: Slap on the wrist, indeed
The amount of the fines should start at the amount of money the company brought in through the illegal action.
Re: Re: Slap on the wrist, indeed
Start with the amount gained through illegal action, and then multiply it based upon the severity of the crime.
Something ‘minor’ might get a 1.5 multiplier, so they pay 150% of what they gained, while a more serious crime would get something like a 2x or 3x multiplier applied, so they pay twice or three times what they gained. No matter how ‘minor’ it is though, the multiplier would never drop below 1x, so at the very least they would be fined an amount equal to how much they gained, utterly eliminating the financial gain.
£130,000 US. $147,426 Seems like an extremely low number ,
I wonder if their customers can sue individually .
TAKE AWAY THE LICENSE!
To be a pharmacy business, a license is required. Real punishment would be a 1 year revocation of the corporate license to dispense prescriptions.
It seems like scammers have more access to patient data than patients themselves. Perhaps if a patient pretended to be a scammer they would get better luck accessing their own data.
Only if they paid. And secrecy was required because both parties understood that the data was to be used for improper purposes.
I have a better idea – revoke the firm’s license to do business (in any field) permanently and bar anyone personally involved in the sale from ever owning or managing a business in any shape or form, at any level. That should definitely help…
They could change their name to PharmacyScrewU
the fine is meant to be for show so they don’t get caught again and embarrass their partners in the ICO again
How much did they make from selling it? And how much were they fined?
What was the net gain/loss?
That will tell you how likely they are to do it again.
Lack of due diligence
A few minutes’ research should suffice to show that Alchemy Direct Media are spammers. Why wasn’t that done?
Re: Lack of due diligence
Easy: “Plausible deniability”
It’s one thing to be “merely” negligent. It’s another to have a smoking gun that says “we knew these guys were engaged in criminal enterprise and sold the information anyway”. That sort of evidence would have made it a willful violation.
…would include – as already mentioned – license suspensions and should include asset forfeiture, including the entire business if willful. Courts should also grow some guts and demand a public admission of wrongdoing, something that is currently being avoided. Monetary sanctions mean nothing to a business especially if the business can be reimbursed by an insurance claim or can write off the sanction as a tax deduction.
more evidence the medical profession is, at its heart, still a travelling sideshow. exceptions abound, but the major thrust is still to improve your sitting posture by thinning your wallet.
It seems only £26,000 fine if it is paid before the deadline
A fine that pathetically small is purely for symbolic reason, and in this case the message being sent is pretty clear. ‘Sell all the customer data you want, even if you get caught you’ll still come out ahead’.
Rulings like this are why companies feel so safe pulling these kinds of stunts, because they know that they’ll always come through with more money than they lost, even when they get caught.
and how funny is it the guy catching them this year is working for them next year…………………
Re: Re: Symbolic
Well, with this on his resume, how could they not hire him? I mean, he’s such a team player, it’s almost like he’s already working for them.