Online pharmacy fined for selling customer data

  • Published
Prescription drugsImage source, SPL
Image caption,

Pharmacy2U had made a "serious error" when selling customer information, the UK's data watchdog said

Online drug seller Pharmacy2U has been fined £130,000 for selling information about customers to marketing companies.

The data was sold to several companies, including one warned over misleading advertising and another facing an investigation into a lottery it ran.

Pharmacy2U had made a "serious error of judgement" in selling the data, the information commissioner said.

The pharmacy said the sales had been a "regrettable incident", for which it apologised.

Vulnerable targeted

The names and addresses of more than 20,000 Pharmacy2U customers had been sold via a marketing company, the Information Commissioner's Office (ICO) said in a statement, external.

Pharmacy2U, the UK's largest NHS-approved online pharmacy, had advertised - at £130 per 1,000 customers - its database of 100,000 patients with many different medical conditions including asthma, erectile dysfunction and Parkinson's disease, sorted by age and gender.

ICO deputy commissioner David Smith said it was likely some customers had suffered financially - one buyer of the data deliberately targeted elderly and vulnerable people.

And Pharmacy2U had breached data protection rules by not seeking the customers' consent.

Mr Smith said: "Patient confidentiality is drummed into pharmacists.

"It is inconceivable that a business in this sector could believe these actions were acceptable.

"Once people's personal information has been sold on once in this way, we often see it then gets sold on again and again."

In a statement, external, Pharmacy2U issued a "sincere apology" and said it would no longer sell information about its customers.

It said it had taken steps to find out if the organisations buying the data had been reputable and, at the time of the sale, there had been no reason to believe any of them had been "suspected of any wrongdoing".

It said it had "learned from this incident" and would "continue to do all we can to ensure that their data is protected to the highest level".