Practices have been warned to seek assurances over data security after an online pharmacy service, linked to GP IT provider EMIS, was fined for selling names and addresses of 20,000 patients.
Online prescription service Pharmacy2U, which is 20% owned by EMIS and holds an NHS pharmacy contract, was fined £130,000 by the Information Commissioner's Office (ICO) for selling the data through a direct marketing firm.
Companies that bought patient details included a health supplements company which was cautioned for misleading advertising, and an Australian lottery firm subject to a Trading Standards investigation, the ICO found.
Pharmacy2U, which holds the largest NHS pharmacy contract in England, operates through the NHS electronic prescription service (EPS). The company receives digitally signed prescription information requested by patients from GPs via the EPS. The firm says it has been instrumental in developing the EPS, working with the NHS since 2001.
The name and address details sold were supplied by customers themselves when they registered to use the pharmacy's services online, the company said.
The ICO ruling found that names and addresses sold included NHS patients using the electronic prescription service as well as Pharmacy2U's online patients and retail customers.
Information campaigner Phil Booth from MedConfidential, which made the complaint to the ICO on behalf of patients, said GPs could order prescriptions from the online pharmacy through their practice IT systems. The sale of patient data undermined the trust between GPs and patients, he said. ‘If [this is the] mechanism a GP offers to provide you with a prescription, you assume the same level of confidentiality. You don’t expect you will get spammed by Australian lottery firms.’
Mr Booth called for a ‘blanket, statutory ban on all marketing to patients’.
GPC deputy chairman Dr Richard Vautrey welcomed the ICO action. ‘Practices need to be as careful as possible about how information is recorded and used and get guarantees from anyone they work with to ensure information recorded in the system is secure,' he said.
GPC IT committee chairman Dr Paul Cundy added: 'The findings raise serious concerns about the handling of personal data by Pharmacy2U, which is the UK’s largest NHS approved online pharmacy.
'Although the BMA welcomes the ICO investigation, we are pushing for custodial penalties for those who wilfully or recklessly abuse personal data. In our view, the current financial penalties do not offer enough of a deterrent. It is not yet clear whether any further action will be taken by the General Pharmaceutical Council or Care Quality Commission, with which Pharmacy2U is registered.'
NHS patient data sold
The ICO investigation found that 100,000 patients’ information had been advertised for sale, described as including people with asthma, Parkinson’s disease and erectile dysfunction. Breakdowns of patients, such as men over 70 years old, were available. Records were for sale for £130 per 1,000 records.
The investigation found that the lottery firm which bought information deliberately targeted elderly patients and that it is likely some will have suffered financially as a result.
Senior executives at Pharmacy2U were found to have approved the selling of NHS patient information.
Patients were not informed their information would be sold, in breach of the data protection act, the commissioner found. The investigation found the firm had acted deliberately, but did not deliberately contravene the act.
ICO deputy commissioner David Smith said: ‘Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgment, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.
‘Once people’s personal information has been sold on once in this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details.’
Remedial action
Pharmacy2U managing director Daniel Lee said in a statement: ‘This is a regrettable incident for which we sincerely apologise.
‘As a responsible company, we undertook due diligence to check that the organisations intending to use the data were reputable. There was no publicly available information at the time to suggest that the lottery company was suspected of any wrongdoing and we have confirmed with the relevant authorities that they were validly licensed. The ICO has recognised in its Monetary Penalty Notice that Pharmacy2U would not have known that there were any questions over the lottery company’s reputation. There was no publicly available information at the time that there had been a complaint to the ASA about Healthy Marketing Ltd.
‘While we are grateful that the ICO recognise that our breach was not deliberate, we appreciate this was a serious matter. As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed.
‘We have also confirmed that we will no longer sell customer data.
‘We take our responsibilities to the public very seriously and want to reassure our customers that no medical information, email addresses or telephone numbers were sold. Only names and postal addresses were given, for one-time use.
‘Following this incident, we have changed our privacy policy to highlight that we will no longer sell customer data and have implemented a prior consent model for our own marketing. We have also worked with the Plain English Campaign to make our policies as clear as possible to our customers.
‘We hope that this substantial remedial action will reassure our customers that we have learned from this incident and will continue to do all we can to ensure that their data is protected to the highest level.’
EMIS Group CEO Chris Spencer, a non-executive director at Pharmacy2U, said: ‘EMIS Group takes today’s ICO decision very seriously indeed. The decision by Pharmacy2U to sell data was made without my personal knowledge or authority as a non-executive Pharmacy2U board member, or that of anyone at EMIS Group PLC.
‘The decision to sell data was made by the executive day-to-day management team at Pharmacy2U. It was never discussed by the Pharmacy2U board, nor was that board consulted before the decision was made.
‘As the ICO’s report makes clear: Pharmacy2U did not deliberately contravene the Data Protection Act; and when it made the decision to sell data, Pharmacy2U did not have access to the now available information that could lead it to believe that some of the companies receiving the data could be involved in fraudulent activity.
‘As a minority shareholder in Pharmacy2U we were extremely concerned when this issue was originally reported.
‘As a leading provider of clinical software systems, EMIS Group has always maintained the highest standards of patient confidentiality and data security. We note the ICO’s ruling and that Pharmacy2U is committed to taking comprehensive remedial action. This includes confirming that it will no longer sell customer data and moving to a proactive consent model for its own marketing.’
