UK's Largest Online Pharmacy Sold Patients' Personal Data To Fraudsters

Ewan Palmer writes: The UK's biggest online pharmacy has been fined $200,000 for selling thousands of patients' personal data to scammers who targeted the sick and vulnerable. Pharmacy2U (P2U) was found to have breached the Data Protection Act for giving away details of patients to Australian Lottery fraudsters who targeted male pensioners and health supplements company that has been cautioned for misleading advertising. A company who dealt with patients who were being marketed said they had 'no idea the trade in their data was as murky as this'.

if you can't protect it, don't collect it

[TheGratefulNet]

that's all I have to say.

oh, and any business that lets medical info about patients be hacked should be forced to go out of business and the ceo's and c-levels all should be put in jail.

if we did that, over night the security of such places would be 100% better. since there is no penalty to being incompetant, they continue to be as such.

only if there is personal pain for the c-levels would anything like this change.

Re:if you can't protect it, don't collect it

[Anonymous Coward]

This wasn't a hacking, it was SOLD to fraudsters

Re:

[invictusvoyd]

Data on what the fraudsters (big pharma) sell to people was sold to fraudsters.

Re:

[Opportunist]

Oh, in this case publishing the relevant C-Level's name and address along with what they did will do.

Re:

[gstoddart]

only if there is personal pain for the c-levels would anything like this change.

Pretty much this.

None of this tiny little fine and a bullshit promise to not do it again.

The knowledge that if this crap happens on their watch, the executives will be the ones they go after. Because as long as they don't do anything of consequence, there's no incentive for executives to stop doing crap like this. And if that fine is less than they could have sold the data for, they'll just keep doing it.

When corporate greed a

Re:

[Ol Olsoc]

The knowledge that if this crap happens on their watch, the executives will be the ones they go after. Because as long as they don't do anything of consequence, there's no incentive for executives to stop doing crap like this.

But you and I both know there will be new laws that punish the consumer, while the execs will be shielded from prosecution. All I know is someone in the mailroom probably was blamed for this.

Re:

[Big Hairy Ian]

This is just another part of the great NHS sell off.

Re:if you can't protect it, don't collect it

[whoever57]

This is just another part of the great NHS sell off.

WUT?

What has this got to do with the NHS? You know that most pharmacies in the UK (and always have been) private businesses, right?

Re:

[mcpheat]

What has this got to do with the NHS? You know that most pharmacies in the UK (and always have been) private businesses, right?

20% of P2U is owned by EMIS and the CEO of EMIS is a director of P2U.

EMIS provide the Electronic patient record systems for over half of the NHS in England

Re:

[Opportunist]

Why should they care?

The formula for whether a crime is committed or not is simply

profit / (chance of being caught * fine if caught)

If larger 1, DO IT.

And bluntly, if (like most likely in this case) the fine is lower than the profit, the chance of being caught can as well be 1 (certainty) and the outcome is still DO IT.

Re:

[Anonymous Coward]

You're a would-be murderer, and you think we should care about what you want, other than maybe getting you off the streets and into an institution?

Re:

[fuzzyfuzzyfungus]

The UK used to be substantially harder on the riffraff, debtors, and similar underclass trash; but can you point me to a time where the great and good of society were at greater risk?

Capitalism.

[Anonymous Coward]

Wow, only $200k, and only because of EU privacy protections that half the country are so desperate to exit? seems worthwhile to do it again.

I've never understood why the NHS contracts out to private pharmacies - just dispense directly and stop throwing money away on the profits of middlemen. It's not the 1950s anymore and, as consolidation of big business has illustrated, it's more efficient to run established industries on a huge scale with continually optimised, automated algorithms, and competition is a

Re:

[ATMAvatar]

Wow, only $200k, and only because of EU privacy protections that half the country are so desperate to exit? seems worthwhile to do it again.

Exactly. With a fine that small, I have to wonder how much of a net profit the pharmacy made on selling information. The $200k is just going to get written off as a cost of doing business like most other paper tiger fines.

Re:

[Opportunist]

Hey, be reasonable! They only sold the data of sick people needing medical aid, they didn't download copyrighted songs!

Violates the trope

[willworkforbeer]

Even when you're not the product, you're the product. I would go on, but I have an urge to go buy some LightSpeed Briefs.

Do Fraudsters Matter?

[Anonymous Coward]

I don't think the fraudsters angle of this story should matter. The issue is;

UK's Largest Online Pharmacy Sold Patients' Personal Data.

But, what are they gonna do. Absolutely nothing will happen to the offending corporation despite your outrage.

Probably more profitable

[Kid CUDA]

I'm pretty sure they got more than 200'000$ profit from selling this information.

That fine is ridiculous, the executives probably had it as just another line on their expenses budget, right under "coke, strippers and champagne - 300'000$"

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[whoever57]

A first fine is almost always ridiculous. This is not about revenge. This is about not letting it happen again.

Unless there are some strong mitigating circumstances, the fine for this act should be sufficient to shut the company down and its directors should be personally held liable. That would not only stop this company from doing it again, but also stop any other company doing it.

Re:

[Kid CUDA]

The problem I see with this is that it gives every company a "Get out of jail free" card. You can make millions of profit from selling customer data ... as long as you don't get caught more than once!

Privacy = $9.52

[Anonymous Coward]

So the article says these folks sold about 21K of their customers' records and were fined $ 200K.

Am I mistaken or this means that each customer's privacy's worth a little under $10.00?

Re:

[ChumpusRex2003]

21,000 customer records were sold. The records contained names and addresses, and could be supplied pre-filtered by critera such as age, sex or whether a purchase had been made within the last 12 months. As far as I can tell, the records did not contain purchase history or other medical information. I would have expected the fine to be considerably higher if it had.

The official enforcement notice from the information commissioner can be found at https://ico.org.uk/action-weve... [ico.org.uk]

In short, pharmacy2u re

Profit!

[Ol Olsoc]

200 thousand?

Hell, that's cheaper than paying baksheesh to politicians.

This sounds like a mere cost of doing business, like replacing ceiling lamps.

Was 200K more or less?

[140Mandak262Jamuna]

Did it make more than 200K by selling the data to the fraudster? Then it is mere slap in the wrist.

Sufficiently advanced creative accounting is indistinguishable from fraud. ---Arthur C Clarke.

Re:

[AmiMoJo]

In cases where the data was sold off rather than stolen, i.e. where the company deliberately broke data protection rules, the company should be wound up. The assets would be liquidated and used to compensate innocent employees and customers, and then suppliers and if there is any left over used to fund other investigations.

Re:

[N1AK]

Can we bring that in for companies that knowingly sell products with life threatening flaws (both Ford & GM), that illegally pollute (GE), that cooperate in unlawful surveillance (AT&T, most other carriers, and many tech companies) or do anything else that is equally bad or worse? Sure you'd put most of America's (and the rest of the worlds) workforce out of jobs, but it's a principle thing right? If a company does something like this then why on earth do people think winding the company up is the

Re:

[moeinvt]

The article states that they had information on 21k people and were offering it up at a price of ~20 cents per unit. Unless they were able to sell the information to 48 different customers, they took a loss.
Seems hard to believe that you could sell the same mailing list 48 times.

Re:

[ChumpusRex2003]

The data was sold for £130 per 1,000 names/addresses - so in this case, a total of 21,000 name/address records were sold for about £2700.

In this case, they were only selling a mailing list, and not medical information. However, the reason for the ruling was that customers from pharmacies are more likely than the general public to be vulnerable, for example, being elderly or having dementia; and that the company had not made clear when signing up for an account, that they would sell the data.

Breach Not Deliberate?

[Jason Levine]

Daniel Lee, managing director of P2U, said: "This is a regrettable incident for which we sincerely apologise. While we are grateful that the ICO recognises that our breach was not deliberate, we appreciate this was a serious matter.

Not deliberate? They advertised the records for sale and then sold the records to the fraudsters. It wasn't like their systems were hacked. This is like if I offer to watch my neighbor's house and then rent the house to my friends to throw a party in. "I'm sorry your house was trashed. This wasn't deliberate. All I did was sell my friend a copy of the key to your house for $50. Clearly, I wasn't to blame for this incident."

Re:

[Anonymous Brave Guy]

This is like if I offer to watch my neighbor's house and then rent the house to my friends to throw a party in.

Except that as far as I know there is no law explicitly making it a criminal offence to do what you described, while the Data Protection Act does exactly that in the case we're discussing. Sadly, it's only punishable by a fine though, and the upper limit on what the Commissioner can seek is quite modest by commercial standards. The relevant law is not enforceable through powers of arrest and punishable by jail time.

Re:

[whoever57]

Except that as far as I know there is no law explicitly making it a criminal offence to do what you described

How about this example: I lend my car to my next-door neighbour and he sells it. I suspect that there are laws making my neighbour's act illegal.

In the UK?

[YrWrstNtmr]

Interesting. We are continually told that UK/EU data protection laws are sooo much better than in the US and elsewhere, and this type of thing can never happen.

Re:

[N1AK]

Because they likely are. If it was an American pharmacy they'd have contractual terms hidden somewhere giving them permission to sell your data to whomever they liked and they wouldn't be getting fined at all... Data protection laws clearly can't stop crime (in the same way that laws against murder don't stop murder); it hardly takes a genius to realise that.

WHY?

[Jim Sadler]

Why is the fine so tiny? One would think the fine would be big enough to bankrupt the offending company.

200k fine?

[Opportunist]

Hey, that actually makes it a viable business.

1. Sell medical supplies at cost.
2. Watch people swarm you to get your cheap stuff, handing over any and all info you might want (and then some, because CHEAP!).
3. Sell their data to any and all fraudsters that could possibly want it.
4. If (and only if) someone in government wakes up and dares to move against a business for a change, pay a pittance to shut them up.