Online pharmacy slapped with £130,000 fine for flogging customer data
Privacy group: Must be a ban on all marketing to patients
Online pharmacy Pharmacy 2U has been slapped with a £130,000 fine by the Information Commissioner's Office for flogging customers to a marketing company without their consent.
The ICO said Pharmacy 2U offered the customer names and addresses for sale through an online marketing list company.
The ICO investigation found that Pharmacy 2U had not informed its customers that it intended to sell their details, and that the customers had not given their consent for their personal data to be sold on. This was in breach of the Data Protection Act.
Privacy group medConfidential, which informed the ICO of the practice, welcomed the fine but said more action needed to be taken.
Phil Booth, coordinator of medConfidential, said: “Vulnerable people shouldn’t be exposed to this sort of harm and distress, but what’s doubly appalling is that this was done by the largest NHS-approved online pharmacy in the country, which is part-owned by the company that provides a majority of GPs with their medical records systems.
"The government has to act decisively," added Booth. "Six-figure fines alone won’t stamp out this poisonous trade; not when there’s so much profit to be made. There must now be a blanket, statutory ban on all marketing to patients. Those who profiteer from patients’ data are predators and should face prison when they are caught.”
“This is a regrettable incident for which we sincerely apologise," said Daniel Lee, managing director, Pharmacy2U, in a statement. "While we are grateful that the ICO recognise that our breach was not deliberate, we appreciate this was a serious matter.
"As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed," he added. "We have also confirmed that we will no longer sell customer data." ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust