Your health data sold to fraudsters in Australia
Elderly patients exploited by NHS firm It’s fined £130,000 for ‘very serious breach of law’ Officials praise Mail for exposing the scandal
THOUSANDS of elderly patients had their health data sold to suspected fraudsters in Australia by an online NHS prescription service, the Mail can reveal today.
Pharmacy 2U – the country’s leading online pharmacy which has NHS accreditation – sold details of more than 20,000 users without their knowledge.
And it handed details of 3,000 elderly patients – many with long-term illnesses – to a company that went on to target them with lottery scams.
Bosses at the pharmacy agreed to pass on the elderly customers’ details even after seeing the suspect lottery letters that were to be sent to them – which falsely said they had won ‘millions of dollars’.
Last night the Daily Mail was thanked by the Information Commissioner’s Office for uncovering the scandal, described as a ‘very serious breach’ of the law. The ICO, which fined the pharmacy £130,000, said the details of thousands more patients could have been sold had this newspaper not brought the practice to light. ‘If the Daily Mail had not uncovered this wrongdoing, it probably would have carried on,’ said deputy commissioner David Smith.
However, MPs and campaigners branded the £130,000 penalty ‘derisory’ and said someone should be ‘ going to prison’ over what had happened.
The Mail revealed this year how the details of thousands of NHS patients – who were using Pharmacy 2U to order medicine online – were being sold without their knowledge.
The revelations caused an outcry, with MPs and campaigners calling for a criminal probe into the companies involved – while investigations were immediately launched into Pharmacy 2U by the ICO and the General Pharmaceutical Council.
It can now be revealed that bosses at the website agreed to sell the names and addresses of 3,000 elderly patients to an Australia-based scam lottery company, which is now at the centre of an international investigation into fraud and money laundering.
Pharmacy 2U, which boasts that its service is ‘discreet and confidential’, advertised the details of its users for sale online for 16p each through a data company.
The advert even claimed the patients on its list were likely to have illnesses ‘ such as asthma, high blood pressure, diabetes, heart disease, high cholesterol, Parkinson’s disease, epilepsy, erectile dysfunction and hair loss’. It said that in total, the details of 100,000 patients were available – with most of them over 40.
When buying 3,000 sets of details, the lottery company demanded only those of patients aged 70 or older – the group considered most susceptible to scams.
It even showed its letters to bosses at Pharmacy 2U f or approval, which said the recipient had been ‘specially selected’ to ‘win millions of dollars’. But in what was in fact a blatant scam, they went on to say the recipient would have to send money by cheque, postal order or credit card to claim the prize. Even though Pharmacy 2U bosses com- mented that the letters looked ‘spammy’, they agreed to sell the customers details anyway.
An executive approved the deal, saying: ‘OK but let’s use the less spammy creative (design) please, and if we get any complaints I would like to stop this immediately.’
The fact the lottery company asked for only the details of those aged 70 or older suggested they ‘deliberately targeted elderly and vulnerable individuals,’ the ICO said. It added that ‘it is likely some customers will have suffered financially’, with victims of similar scams losing up to £16,000. In total, 21,500 patients had their data sold, with three companies buying the information. Another buyer was Woods Supplements, a health catalogue caught making ‘unauthorised claims’, the ICO said.
The fine is the first ever issued by the ICO for ‘unfair processing’ of data. The deputy commissioner said he hoped the penalty would ‘send out a clear message’.
But Tory MP Dr Sarah Wollaston, chairman of the Commons health select committee, said: ‘This is absolutely appalling and beyond belief. Personally, I think that fine is absolutely derisory [and] completely fails to appreciate the level of harm done here.’
And Phil Booth, of med-Confidential data campaigners who made the original complaint, said: ‘This is truly disgraceful. The largest NHS-approved online pharmacy, part-owned by the IT company that provides most GPs with their medical records systems, has been caught selling patient data to people we now know were scammers and shysters ... and yet no one’s going to prison.’
He called for a statutory blanket ban on marketing to patients.
Daniel Lee, managing director of Pharmacy 2U, said: ‘ This is a regrettable incident for which we sincerely apologise.’
He added that the company ‘undertook due diligence to check that the organisations intending to use the data were reputable’ and that there was ‘no publicly available information’ at the time to suggest any were unscrupulous.
He added: ‘While we are grateful that the ICO recognise our breach was not deliberate, we appreciate this was a serious matter.
‘As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed ... We will no longer sell customer data and we have changed our privacy policy.’
Comment – Page 14