The UK’s largest NHS-approved online pharmacy has been fined £130,000 for selling details on over 20,000 customers to overseas organisations without customers' permission.
Pharmacy2U was found to have advertised details on over 100,000 customers as being for sale, and sold 20,000. These details were often sold on the basis of why the customer had used the website, such as for conditions including asthma and Parkinson’s disease. The records were sold for as little as £130 per 1,000.
One particularly notable sale of customer data involved an organisation in Australia called The Lottery Company which used the information to contact people saying they had been “specially selected” to “win millions of dollars”.
Pharmacy2U was shown this wording and a company executive signed off the sale of the data despite being aware of its "spammy" nature.
“OK but let’s use the less spammy creative please, and if we get any complaints I would like to stop this immediately,” the executive is reported as saying.
ICO deputy commissioner David Smith said it was “inconceivable that a business in this sector could believe these actions were acceptable”.
“Put simply, a reputable company has made a serious error of judgement, and today faces the consequences. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish,” he said.
Smith urged other organisations to heed the case as an example of the perils of agreeing to sell customer data to other organisations.
“Once people’s personal information has been sold on in this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details,” he said.
Responding to the fine, Daniel Lee, managing director of Pharmacy2U, said that the company regretted what had taken place and had now agreed to no longer sell customer information.
“This is a regrettable incident for which we sincerely apologise,” he added.
Lee also looked to reassure customers that no medical information, email addresses or telephone numbers were sold, and that only names and postal addresses were sold for one-time use.
The fine could fall to £104,000 if the company pays up by 13 November.
Curiosity rover is in 'normal mode' but not transmitting scientific data back to base
NatWest outage comes a day after Barclays' IT systems shut out customers and staff
The ICO is concerned with AggregateIQ's retention and processing of data used in the Brexit referendum
Map selection, quick menus for grenades and healing items, and automatic reload all coming in PUBG update #22