Giant UK Pharmacy Fined For Selling Patient Data To Scammers

from the well,-well... dept

Lots of people talk about internet companies "selling" user data, and in many cases it's massively exaggerated. Often, what people think is selling data is something else entirely, such as targeted advertising, where no information goes back to the advertiser. For example: just try to go to Facebook or Google and "buy" someone's data. It can't be done. You can place ads against certain profiles or keywords, but you don't get back any data about the people who are being advertised to. That's not "selling" their data. However, that doesn't mean that some companies aren't selling people's data, and doing so in sketchy ways. And it appears that the UK's largest online pharmacy, Pharmacy2U, has now been been fined £130,000 not just for selling patient data, but for selling it to scammers.

The details show that Pharmacy2U did a deal with a marketing firm called Alchemy Direct Media to "rent" its customer list, and they seemed to not just reveal all sorts of private information about patients, but to then directly sell it to scam operations:
The Pharmacy2U database lists were advertised for rental on the Alchemy website. The data card for Pharmacy2U states that the data includes 77,621 0-12 month “buyers” and 36,207 13-24 month “buyers”. It also states that buyers include NHS patients, Pharmacy2U online patients and Pharmacy2U retail customers. It lists typical ailments that are treated including asthma, high blood pressure, diabetes, heart disease, high cholesterol, Parkinson's disease, epilepsy, erectile dysfunction, hair loss, weight loss, travel health, skin conditions, pain, migraine, cold and flu and nicotine replacement for smoking cessation. It also includes an age breakdown which shows that 82% of the buyers are over the age of 40. The cost is listed as £130 per 1000 records.

In November and December 2014, Alchemy supplied a total of 21,500 Pharmacy2U customers’ names and addresses to three organisations: Griffin Media Solutions, an Australian lottery company (“the lottery company”) and Camphill Village Trust Ltd.

On 20 November 2014, Griffin Media Solutions ordered 13,000 records on behalf of its client Woods Supplements (10,000 records plus a 30% oversupply to allow for duplicates). The data related to customers who had used Pharmacy2U within the previous 12 months. The order was approved by a senior executive of Pharmacy2U.

Woods Supplements is a trading name of Healthy Marketing Ltd, a Jersey-based mail order company. It sells health supplements to the general public via its website (www.woodshealth.com) and through mail order catalogues. Users of the website can search for an ailment (e.g. high blood pressure, high cholesterol, erectile dysfunction) and receive a list of recommended products. Some of the product descriptions highlight the side effects of the commonly prescribed drugs whilst stating that their products have fewer or no side effects.

[....]

On 9 December 2014, the lottery company ordered 3,000 records relating to males aged 70 or over who had used Pharmacy2U within the previous 6 months. The lottery company provided a copy of the proposed mailer and a corporate profile pack to Pharmacy2U which included a copy of their mail order lottery licence and a letter from the Northern Territory Government.

The mailer was headed “Declaration of Executive Order” and went on to say that the recipient had been “specially selected” to “win millions of dollars”. The mailer contained a form which recipients were asked to complete and return within seven days along with payment of an unspecified sum of money by cash, postal order, cheque or credit card. The form also requested date of birth, email address, telephone number and mobile number.

A senior executive of Pharmacy2U approved the order with the words “OK but let’s use the less spammy creative please, and if we get any complaints I would like to stop this immediately”. The data was sent to Australia.
Yes, it seems pretty clear the Pharmacy2U exec knew exactly what was going on, but still approved the sale of the data. "Let's use the less spammy creative please" is pretty damning. As ICO's deputy commissioner David Smith noted in a statement, it's somewhat astounding that Pharmacy2U didn't realize that it shouldn't be selling patient data:
ICO deputy commissioner David Smith said: "Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.

"Once people's personal information has been sold on once in this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details."
And, of course, Pharmacy2U put out a bland PR/lawyer-approved statement that is ridiculous on its face:
Daniel Lee, managing director of P2U, said: "This is a regrettable incident for which we sincerely apologise. While we are grateful that the ICO recognises that our breach was not deliberate, we appreciate this was a serious matter.

"As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed. We have also confirmed that we will no longer sell customer data.

"We take our responsibilities to the public very seriously and want to reassure our customers that no medical information, email addresses or telephone numbers were sold. Only names and postal addresses were given, for one-time use.

"Following this incident, we have changed our privacy policy to highlight that we will no longer sell customer data and have implemented a prior consent model for our own marketing. We hope that this substantial remedial action will reassure our customers that we have learned from this incident and will continue to do all we can to ensure that their data is protected to the highest level."
Not deliberate? Only in the most narrow sense. The Information Commissioner's Office notes that Pharmacy2U was negligent in its actions, and "ought to have known that its customers had a reasonable expectation of confidentiality" in doing this. It also noted that "the senior executive of Pharmacy2U must have known" that people wouldn't like the sale of their data, because of his statement about the "less spammy creative" as well as the warning that "if we get any complaints I would like to stop this immediately." The report also notes that Pharmacy2U must have known substantial damage would likely occur: "it should have been obvious to Pharmacy2U that such a contravention would be of a kind likely to cause substantial damage or substantial distress to the affected individuals." In addition, the Commissioner found that Pharmacy2U "failed to take any" of the necessary steps to prevent this from happening.

However, despite all of that, the ICO still said that this was not "deliberate" because it did not appear that Pharmacy2U deliberately tried to violate the Data Protection Act. It was just negligent in doing so.

To be honest, the actual fine here seems like a slap on the wrist for something so blatant. Again, lots of people think that every company out there is "selling their data," but it's very rarely the case. Unfortunately, it's likely that the perception that everyone is selling everyone's data contributed to this ridiculous situation in which actual data (including private medical information) was actually being sold.

Filed Under: data, health information, pharmacy, scams, selling information, uk
Companies: pharmacy2u


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • icon
    orbitalinsertion (profile), 20 Oct 2015 @ 11:54am

    Slap on the wrist, indeed

    Fines don't fix anything for any victims, which is another problem. But really, fines for business when one out of a million is taken to court and actually has a judgement against it, should be damaging. Fines should hurt. And really, some of the behaviors for which companies might be fined, they actually should be incarcerated by some method. Particularly since, hey, they are fooken persons, right?

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 21 Oct 2015 @ 7:41am

      Re: Slap on the wrist, indeed

      The amount of the fines should start at the amount of money the company brought in through the illegal action.

      reply to this | link to this | view in chronology ]

      • icon
        That One Guy (profile), 21 Oct 2015 @ 8:41am

        Re: Re: Slap on the wrist, indeed

        Start with the amount gained through illegal action, and then multiply it based upon the severity of the crime.

        Something 'minor' might get a 1.5 multiplier, so they pay 150% of what they gained, while a more serious crime would get something like a 2x or 3x multiplier applied, so they pay twice or three times what they gained. No matter how 'minor' it is though, the multiplier would never drop below 1x, so at the very least they would be fined an amount equal to how much they gained, utterly eliminating the financial gain.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Oct 2015 @ 11:59am

    £130,000 US. $147,426 Seems like an extremely low number ,

    I wonder if their customers can sue individually .

    reply to this | link to this | view in chronology ]

  • identicon
    Christenson, 20 Oct 2015 @ 12:07pm

    TAKE AWAY THE LICENSE!

    To be a pharmacy business, a license is required. Real punishment would be a 1 year revocation of the corporate license to dispense prescriptions.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Oct 2015 @ 12:10pm

    It seems like scammers have more access to patient data than patients themselves. Perhaps if a patient pretended to be a scammer they would get better luck accessing their own data.

    reply to this | link to this | view in chronology ]

  • icon
    Max (profile), 20 Oct 2015 @ 12:10pm

    I have a better idea - revoke the firm's license to do business (in any field) permanently and bar anyone personally involved in the sale from ever owning or managing a business in any shape or form, at any level. That should definitely help...

    reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 20 Oct 2015 @ 12:32pm

    Pharmacy2U

    They could change their name to PharmacyScrewU

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Oct 2015 @ 12:33pm

    the fine is meant to be for show so they don't get caught again and embarrass their partners in the ICO again

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Oct 2015 @ 1:04pm

    How much did they make from selling it? And how much were they fined?
    What was the net gain/loss?

    That will tell you how likely they are to do it again.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Oct 2015 @ 1:46pm

    Lack of due diligence

    A few minutes' research should suffice to show that Alchemy Direct Media are spammers. Why wasn't that done?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Oct 2015 @ 7:19pm

      Re: Lack of due diligence

      Easy: "Plausible deniability"

      It's one thing to be "merely" negligent. It's another to have a smoking gun that says "we knew these guys were engaged in criminal enterprise and sold the information anyway". That sort of evidence would have made it a willful violation.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Oct 2015 @ 2:20pm

    Real punishment...

    ...would include - as already mentioned - license suspensions and should include asset forfeiture, including the entire business if willful. Courts should also grow some guts and demand a public admission of wrongdoing, something that is currently being avoided. Monetary sanctions mean nothing to a business especially if the business can be reimbursed by an insurance claim or can write off the sanction as a tax deduction.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Oct 2015 @ 3:58pm

    more evidence the medical profession is, at its heart, still a travelling sideshow. exceptions abound, but the major thrust is still to improve your sitting posture by thinning your wallet.

    reply to this | link to this | view in chronology ]

  • identicon
    FK, 21 Oct 2015 @ 5:03am

    Not £130,000

    It seems only £26,000 fine if it is paid before the deadline

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 21 Oct 2015 @ 8:44am

    Symbolic

    A fine that pathetically small is purely for symbolic reason, and in this case the message being sent is pretty clear. 'Sell all the customer data you want, even if you get caught you'll still come out ahead'.

    Rulings like this are why companies feel so safe pulling these kinds of stunts, because they know that they'll always come through with more money than they lost, even when they get caught.

    reply to this | link to this | view in chronology ]

    • identicon
      Digitari, 21 Oct 2015 @ 9:07am

      Re: Symbolic

      and how funny is it the guy catching them this year is working for them next year.....................

      reply to this | link to this | view in chronology ]

      • icon
        That One Guy (profile), 21 Oct 2015 @ 6:51pm

        Re: Re: Symbolic

        Well, with this on his resume, how could they not hire him? I mean, he's such a team player, it's almost like he's already working for them.

        reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.