Giant UK Pharmacy Fined For Selling Patient Data To Scammers
from the well,-well... dept
Lots of people talk about internet companies "selling" user data, and in many cases it's massively exaggerated. Often, what people think is selling data is something else entirely, such as targeted advertising, where no information goes back to the advertiser. For example: just try to go to Facebook or Google and "buy" someone's data. It can't be done. You can place ads against certain profiles or keywords, but you don't get back any data about the people who are being advertised to. That's not "selling" their data. However, that doesn't mean that some companies aren't selling people's data, and doing so in sketchy ways. And it appears that the UK's largest online pharmacy, Pharmacy2U, has now been been fined £130,000 not just for selling patient data, but for selling it to scammers.The details show that Pharmacy2U did a deal with a marketing firm called Alchemy Direct Media to "rent" its customer list, and they seemed to not just reveal all sorts of private information about patients, but to then directly sell it to scam operations:
The Pharmacy2U database lists were advertised for rental on the Alchemy website. The data card for Pharmacy2U states that the data includes 77,621 0-12 month “buyers” and 36,207 13-24 month “buyers”. It also states that buyers include NHS patients, Pharmacy2U online patients and Pharmacy2U retail customers. It lists typical ailments that are treated including asthma, high blood pressure, diabetes, heart disease, high cholesterol, Parkinson's disease, epilepsy, erectile dysfunction, hair loss, weight loss, travel health, skin conditions, pain, migraine, cold and flu and nicotine replacement for smoking cessation. It also includes an age breakdown which shows that 82% of the buyers are over the age of 40. The cost is listed as £130 per 1000 records.Yes, it seems pretty clear the Pharmacy2U exec knew exactly what was going on, but still approved the sale of the data. "Let's use the less spammy creative please" is pretty damning. As ICO's deputy commissioner David Smith noted in a statement, it's somewhat astounding that Pharmacy2U didn't realize that it shouldn't be selling patient data:
In November and December 2014, Alchemy supplied a total of 21,500 Pharmacy2U customers’ names and addresses to three organisations: Griffin Media Solutions, an Australian lottery company (“the lottery company”) and Camphill Village Trust Ltd.
On 20 November 2014, Griffin Media Solutions ordered 13,000 records on behalf of its client Woods Supplements (10,000 records plus a 30% oversupply to allow for duplicates). The data related to customers who had used Pharmacy2U within the previous 12 months. The order was approved by a senior executive of Pharmacy2U.
Woods Supplements is a trading name of Healthy Marketing Ltd, a Jersey-based mail order company. It sells health supplements to the general public via its website (www.woodshealth.com) and through mail order catalogues. Users of the website can search for an ailment (e.g. high blood pressure, high cholesterol, erectile dysfunction) and receive a list of recommended products. Some of the product descriptions highlight the side effects of the commonly prescribed drugs whilst stating that their products have fewer or no side effects.
[....]
On 9 December 2014, the lottery company ordered 3,000 records relating to males aged 70 or over who had used Pharmacy2U within the previous 6 months. The lottery company provided a copy of the proposed mailer and a corporate profile pack to Pharmacy2U which included a copy of their mail order lottery licence and a letter from the Northern Territory Government.
The mailer was headed “Declaration of Executive Order” and went on to say that the recipient had been “specially selected” to “win millions of dollars”. The mailer contained a form which recipients were asked to complete and return within seven days along with payment of an unspecified sum of money by cash, postal order, cheque or credit card. The form also requested date of birth, email address, telephone number and mobile number.
A senior executive of Pharmacy2U approved the order with the words “OK but let’s use the less spammy creative please, and if we get any complaints I would like to stop this immediately”. The data was sent to Australia.
ICO deputy commissioner David Smith said: "Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.And, of course, Pharmacy2U put out a bland PR/lawyer-approved statement that is ridiculous on its face:
"Once people's personal information has been sold on once in this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details."
Daniel Lee, managing director of P2U, said: "This is a regrettable incident for which we sincerely apologise. While we are grateful that the ICO recognises that our breach was not deliberate, we appreciate this was a serious matter.Not deliberate? Only in the most narrow sense. The Information Commissioner's Office notes that Pharmacy2U was negligent in its actions, and "ought to have known that its customers had a reasonable expectation of confidentiality" in doing this. It also noted that "the senior executive of Pharmacy2U must have known" that people wouldn't like the sale of their data, because of his statement about the "less spammy creative" as well as the warning that "if we get any complaints I would like to stop this immediately." The report also notes that Pharmacy2U must have known substantial damage would likely occur: "it should have been obvious to Pharmacy2U that such a contravention would be of a kind likely to cause substantial damage or substantial distress to the affected individuals." In addition, the Commissioner found that Pharmacy2U "failed to take any" of the necessary steps to prevent this from happening.
"As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed. We have also confirmed that we will no longer sell customer data.
"We take our responsibilities to the public very seriously and want to reassure our customers that no medical information, email addresses or telephone numbers were sold. Only names and postal addresses were given, for one-time use.
"Following this incident, we have changed our privacy policy to highlight that we will no longer sell customer data and have implemented a prior consent model for our own marketing. We hope that this substantial remedial action will reassure our customers that we have learned from this incident and will continue to do all we can to ensure that their data is protected to the highest level."
However, despite all of that, the ICO still said that this was not "deliberate" because it did not appear that Pharmacy2U deliberately tried to violate the Data Protection Act. It was just negligent in doing so.
To be honest, the actual fine here seems like a slap on the wrist for something so blatant. Again, lots of people think that every company out there is "selling their data," but it's very rarely the case. Unfortunately, it's likely that the perception that everyone is selling everyone's data contributed to this ridiculous situation in which actual data (including private medical information) was actually being sold.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data, health information, pharmacy, scams, selling information, uk
Companies: pharmacy2u
Reader Comments
The First Word
“What was the net gain/loss?
That will tell you how likely they are to do it again.
Subscribe: RSS
View by: Time | Thread
Slap on the wrist, indeed
[ link to this | view in chronology ]
Re: Slap on the wrist, indeed
[ link to this | view in chronology ]
Re: Re: Slap on the wrist, indeed
Something 'minor' might get a 1.5 multiplier, so they pay 150% of what they gained, while a more serious crime would get something like a 2x or 3x multiplier applied, so they pay twice or three times what they gained. No matter how 'minor' it is though, the multiplier would never drop below 1x, so at the very least they would be fined an amount equal to how much they gained, utterly eliminating the financial gain.
[ link to this | view in chronology ]
I wonder if their customers can sue individually .
[ link to this | view in chronology ]
TAKE AWAY THE LICENSE!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Pharmacy2U
[ link to this | view in chronology ]
[ link to this | view in chronology ]
What was the net gain/loss?
That will tell you how likely they are to do it again.
[ link to this | view in chronology ]
Lack of due diligence
[ link to this | view in chronology ]
Re: Lack of due diligence
It's one thing to be "merely" negligent. It's another to have a smoking gun that says "we knew these guys were engaged in criminal enterprise and sold the information anyway". That sort of evidence would have made it a willful violation.
[ link to this | view in chronology ]
Real punishment...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Not £130,000
[ link to this | view in chronology ]
Symbolic
Rulings like this are why companies feel so safe pulling these kinds of stunts, because they know that they'll always come through with more money than they lost, even when they get caught.
[ link to this | view in chronology ]
Re: Symbolic
[ link to this | view in chronology ]
Re: Re: Symbolic
[ link to this | view in chronology ]