Police Action Demanded After NHS-Backed Pharmacy Sells Personal Data to Marketing Firms

REUTERS/Hyungwon Kang

Thousands of patients have had their personal information sold to marketing companies after using an NHS-approved online pharmacy. Many of those who had their information flogged were using the Pharmacy2U service because they were too old or sick to travel to a chemist. The transaction was just one example of many in which confidential medical and financial information is being marketed to cold callers and conmen.

An investigation by the Daily Mail has uncovered widespread buying and selling of data by a range of firms and government departments. These include the Department of Education which bought data on teenagers’ parents from a firm already exposed for selling medical data, and payday loan lenders passing on the details of vulnerable people refused cash, leading to their being targeted by conmen.

They found that confidential financial details such as incomes, investments and the contents of pension pots were being sold for as little as 5 pence to cold callers and fraudsters. Mail journalists were also able to buy confidential medical information such as the names of people suffering from a range of conditions including diabetes, high blood pressure, bladder problems and arthritis, for just 19 pence.

One of the more egregious examples was that of Pharmacy2U, the country’s leading NHS approved online pharmacy, which sold confidential details including email addresses, dates of birth and the dates of patients’ last prescriptions to marketing firm Alchemy Direct Media. All this was done without properly consulting patients.

Pharmacy2U admitted that it had sold the names and addresses of “up to 5,000” people at a time on at least three occasions. It refused to confirm how much money the data had sold for. The company said that it had then decided to stop selling the information and insisted that no medical data was passed on. Pharmacy2U also offers an online consultation service; the names and addresses of people who used that service were also passed on to Alchemy Media, which has a turnover of £17 million.

When registering for the prescription service, patients using Pharmacy2U must accept terms and conditions to proceed with the delivery, but no mention is made in those terms regarding the passing of information on to third parties. That detail is only mentioned in the small print of their privacy policy.

A spokesman for Pharmacy2U said: “Only name and address information has been sold and no permission for any other data to be sold has been provided by Pharmacy2U.

“Alchemy Direct Media (UK) Ltd work for Pharmacy2U under a strict agreement and other data was provided to them under that agreement for internal purposes, such as understanding the recency of the data, but not for sale to external parties.

“This type of data processing for companies by their agencies is normal business practice. No medication information or data relating to medical conditions has been shared with Alchemy Direct Media (UK) Ltd.”

And Michael Smith, managing director of Alchemy Direct Media, said: “We are an ICO registered company and are satisfied that the information held on this database complies with current data protection and ICO regulation.”

But the Information Commissioner, Christopher Graham, has dismissed the notion that people have opted in to have their medical records sold on. Promising to launch an inquiry into the practice, he said: ‘It’s just beyond belief that people have signed up to be cold called about their bladder problems. There’s a nice little trade going between different commercial companies where our personal info has value to others.”

Members of Parliament have also slammed the company for the transactions, calling for the police to investigate. Dr Sarah Wollaston, who chairs the health select committee said: “This is awful. It is just beyond belief that anyone working for this company could have thought it reasonable to sell these records. If people forward their prescriptions to a pharmacy they should never expect that to be anything other than totally confidential.

“The CEO of this company should be personally held to account. Did he know about this? People should never use this online service again. I just can’t see how this could be legal. It is a whole other level. I hope the police will investigate.”

Her colleague Andrew Percy, a fellow Tory member of the same committee, added: “This is the most disgraceful breach of trust. People access NHS services with an expectation that everything about it will be private. Patients would never expect that when using an NHS approved pharmacy service their details would then be sold on. This is putting our most vulnerable people at risk. It is a complete outrage and must stop immediately.”