UK's Largest Online Pharmacy Sold Patients' Personal Data To Fraudsters

Ewan Palmer writes: The UK's biggest online pharmacy has been fined $200,000 for selling thousands of patients' personal data to scammers who targeted the sick and vulnerable. Pharmacy2U (P2U) was found to have breached the Data Protection Act for giving away details of patients to Australian Lottery fraudsters who targeted male pensioners and health supplements company that has been cautioned for misleading advertising. A company who dealt with patients who were being marketed said they had 'no idea the trade in their data was as murky as this'.

if you can't protect it, don't collect it

[TheGratefulNet]

that's all I have to say.

oh, and any business that lets medical info about patients be hacked should be forced to go out of business and the ceo's and c-levels all should be put in jail.

if we did that, over night the security of such places would be 100% better. since there is no penalty to being incompetant, they continue to be as such.

only if there is personal pain for the c-levels would anything like this change.

Re:if you can't protect it, don't collect it

This wasn't a hacking, it was SOLD to fraudsters

Re:if you can't protect it, don't collect it

[gstoddart]

only if there is personal pain for the c-levels would anything like this change.

Pretty much this.

None of this tiny little fine and a bullshit promise to not do it again.

The knowledge that if this crap happens on their watch, the executives will be the ones they go after. Because as long as they don't do anything of consequence, there's no incentive for executives to stop doing crap like this. And if that fine is less than they could have sold the data for, they'll just keep doing it.

When corporate greed and stuff like this is just going to lead to a meaningless fine, they'll just keep doing it.

If the c-level executives knew it would be their asses on the line for crap like this, we might finally see some change.

Re:if you can't protect it, don't collect it

oh, and any business that lets medical info about patients be hacked should be forced to go out of business and the ceo's and c-levels all should be put in jail.

The article says they weren't hacked, they were deliberately selling patient data to known scammers. It seems to me that 130,000 pound fine is like a slap on the wrist for these criminals. Where are the huge fines and long prison sentences? Just like the US, there is no incentive for other companies not to do criminal activity, if you get caught there is a little fine to pay and business goes on.

Re:if you can't protect it, don't collect it

[Ol+Olsoc]

The knowledge that if this crap happens on their watch, the executives will be the ones they go after. Because as long as they don't do anything of consequence, there's no incentive for executives to stop doing crap like this.

But you and I both know there will be new laws that punish the consumer, while the execs will be shielded from prosecution. All I know is someone in the mailroom probably was blamed for this.

Re:if you can't protect it, don't collect it

[invictusvoyd]

Data on what the fraudsters (big pharma) sell to people was sold to fraudsters.

Re:if you can't protect it, don't collect it

[Big+Hairy+Ian]

This is just another part of the great NHS sell off.

Re:if you can't protect it, don't collect it

[Opportunist]

Oh, in this case publishing the relevant C-Level's name and address along with what they did will do.

Re:if you can't protect it, don't collect it

[whoever57]

This is just another part of the great NHS sell off.

WUT?

What has this got to do with the NHS? You know that most pharmacies in the UK (and always have been) private businesses, right?

Re:if you can't protect it, don't collect it

It is an online pharmacy, that is just a drug dealer, and usually just as illegal. What do you expect happens with private data in the hands of criminals?

Re:if you can't protect it, don't collect it

[mcpheat]

What has this got to do with the NHS? You know that most pharmacies in the UK (and always have been) private businesses, right?

20% of P2U is owned by EMIS and the CEO of EMIS is a director of P2U.

EMIS provide the Electronic patient record systems for over half of the NHS in England

Meh

They don't care. No one cares. Why?

because FUCK YOU, that's why! What do you think you can do about it?

Re:Meh

Hack the Planet!

Re:Meh

[Opportunist]

Why should they care?

The formula for whether a crime is committed or not is simply

profit / (chance of being caught * fine if caught)

If larger 1, DO IT.

And bluntly, if (like most likely in this case) the fine is lower than the profit, the chance of being caught can as well be 1 (certainty) and the outcome is still DO IT.

Too Easy...

I would love to see the laws changed to reflect how heinous crimes like these really are. If you expose the names, addresses, and private medical information to third-parties without consent -- and for profit -- you should lose your business, your bank account, and anything purchased with monies made from the illicit activity.

I'm tired of seeing people get lax sentences. Ditto drug dealing. If you sell drugs to a minor child and it's proven, you get a rope around your neck. Ditto rape, incest. Too many criminals have nothing stopping them. Public executions and public beatings would curb a great deal of crime.

Re:Too Easy...

You're a would-be murderer, and you think we should care about what you want, other than maybe getting you off the streets and into an institution?

Re:Too Easy...

[fuzzyfuzzyfungus]

The UK used to be substantially harder on the riffraff, debtors, and similar underclass trash; but can you point me to a time where the great and good of society were at greater risk?

Capitalism.

Wow, only $200k, and only because of EU privacy protections that half the country are so desperate to exit? seems worthwhile to do it again.

I've never understood why the NHS contracts out to private pharmacies - just dispense directly and stop throwing money away on the profits of middlemen. It's not the 1950s anymore and, as consolidation of big business has illustrated, it's more efficient to run established industries on a huge scale with continually optimised, automated algorithms, and competition is a needless and inefficient risk. Mind you, I don't get why they haven't in-housed GP surgeries either, as the relentless drive of GPs to become more short-termist business-like and become seduced by increased salary in return for unsustainable conditions has created a crisis in primary practice.

Re:Capitalism.

[ATMAvatar]

Wow, only $200k, and only because of EU privacy protections that half the country are so desperate to exit? seems worthwhile to do it again.

Exactly. With a fine that small, I have to wonder how much of a net profit the pharmacy made on selling information. The $200k is just going to get written off as a cost of doing business like most other paper tiger fines.

200.000$ only ?

Please confirm me this is a per patient fine...

Re:200.000$ only ?

[Opportunist]

Hey, be reasonable! They only sold the data of sick people needing medical aid, they didn't download copyrighted songs!

Violates the trope

[willworkforbeer]

Even when you're not the product, you're the product. I would go on, but I have an urge to go buy some LightSpeed Briefs.

Do Fraudsters Matter?

I don't think the fraudsters angle of this story should matter. The issue is;

UK's Largest Online Pharmacy Sold Patients' Personal Data.

But, what are they gonna do. Absolutely nothing will happen to the offending corporation despite your outrage.

Huh?

"Pharmacy2U (P2U) was found to have breached the Data Protection Act for giving away details of patients to Australian Lottery fraudsters who targeted male pensioners and health supplements company that has been cautioned for misleading advertising."

Say what?

and Facebook and Google are the bad guys

It seems that Europe should look closer to home for data-villains. This was a UK company and an AUS company that were buying and selling HIPPA-excluded content. In the USA the Federal government would penalize such a thing out of existence and put the deciders in prison.

Perhaps safe data in Europe is really political propaganda?

Re:and Facebook and Google are the bad guys

Perhaps safe data in Europe is really political propaganda?

Perhaps UK isn't in on it the way the rest of EU is.

Probably more profitable

[Kid+CUDA]

I'm pretty sure they got more than 200'000$ profit from selling this information.

That fine is ridiculous, the executives probably had it as just another line on their expenses budget, right under "coke, strippers and champagne - 300'000$"

Re:Probably more profitable

Indeed.

I think an appropriate punishment is forfeiture of all assets, bank accounts, anything associated with said business or profits, business and personal derived from said business. Also, create a registry of fraudsters and make it impossible for them to ever engage in business again as owners, decision makers, parties to profit-making entities. Force them, basically, to go get a real job and be a working stiff. Until we play hard ball, criminals will do what they do. Beat enough people around the head and shoulders with stiff penalties and we can thin the herd of those willing to test the system.

Re:Probably more profitable

[houghi]

A first fine is almost always ridiculous. This is not about revenge. This is about not letting it happen again.

If I drive through a red light, I get a fine that I can easily pay. If it happens the second time, it is a bit more and the third time I will seriously feel it.

For me it is an apropritate fine. I disagree with all the "we should have them pay so much they go bankrupt." That is not a fine, that is an excecution and has no results in the end.

Because if that would be the case, no crimes would be commited in countries that have a death penalty. Just kill everything that does something wrong? Kill the company in this case? Nope.

Re:Probably more profitable

If the company exists for the sole purpose of being a sham and to prey on people AND this can be proven, then, yes, they should forfeit their business. A company exists to make money, yes, but legitimate commerce means fair trade. The injured here had no say. Money was made in an underhanded way that denied the owners of the data their rightful due. This company is disingenuous at best.

Re:Probably more profitable

Maybe not.

"Largest Online Pharmacy" is probably a bit misleading - it's not a big business. The fine is ~ 5-10% of their net assets.

(People in the UK really don't use online pharmacy services - there's not really any point, you only pay the standard NHS prescription charge for whatever you're getting anyway, so it's never going to be cheaper, people would only go there for ease of access i.e. if they physically can't go to the physical pharmacy, which is usually next to the doctor's surgery...).

Re:Probably more profitable

[whoever57]

A first fine is almost always ridiculous. This is not about revenge. This is about not letting it happen again.

Unless there are some strong mitigating circumstances, the fine for this act should be sufficient to shut the company down and its directors should be personally held liable. That would not only stop this company from doing it again, but also stop any other company doing it.

Re:Probably more profitable

[Kid+CUDA]

The problem I see with this is that it gives every company a "Get out of jail free" card. You can make millions of profit from selling customer data ... as long as you don't get caught more than once!

Privacy = $9.52

So the article says these folks sold about 21K of their customers' records and were fined $ 200K.

Am I mistaken or this means that each customer's privacy's worth a little under $10.00?

Re:Privacy = $9.52

If that's true, it's shocking. The EU laws can, and should have shut them down for breach of the law. This wasn't an accident, or a hack, it was pure fucking greed.

Re:Privacy = $9.52

So the article says these folks sold about 21K of their customers' records and were fined $ 200K.

Am I mistaken or this means that each customer's privacy's worth a little under $10.00?

According to the fourth paragraph... The customers privacy would be worth less than £0.13p per customer.

"More than 100,000 customer details were advertised for sale on the database, which was broken down into categories including people suffering from ailments such as asthma, Parkinson's disease and erectile dysfunction and men over the age of 70. Records were advertised for sale for £130 per 1,000 records."

Re:Privacy = $9.52

[ChumpusRex2003]

21,000 customer records were sold. The records contained names and addresses, and could be supplied pre-filtered by critera such as age, sex or whether a purchase had been made within the last 12 months. As far as I can tell, the records did not contain purchase history or other medical information. I would have expected the fine to be considerably higher if it had.

The official enforcement notice from the information commissioner can be found at https://ico.org.uk/action-weve...

In short, pharmacy2u required uses to register and provide name, address, DOB, etc. when registering a user account. During registration, there would be a checkbox to indicate consent for their details to be passed on to third parties for marketing purposes. Importantly, the box was pre-checked, so users had to actively opt-out. P2U offered their customer list for sale via an agent, allowing filtered lists (from consenting customers) to suit the client's requirement. 2 of the purchases of the customer list were obvious scammers: a classic postal lottery scam, supplements from a supplement vendor who had already been censured for making false claims. P2U executives had to personally approve the requests for sale of names/addresses. In the case of the sale of the names/addresses of 3000 elderly customers to the lottery scammers, the executive even suggested a change to the scammer's mailshot because it sounded too scammy.

The reason for the fine was based on the fact that the sale of personal data to scammers was not adequately covered by the "consent to share details for marketing purposes", and the consent was dubious anyway due to the opt-out checkbox. Further, the because the P2U customers included vulnerable people, there was a significant risk of financial or medical harm to customers by allowing scammers to obtain the customer list.

Profit!

[Ol+Olsoc]

200 thousand?

Hell, that's cheaper than paying baksheesh to politicians.

This sounds like a mere cost of doing business, like replacing ceiling lamps.

Was 200K more or less?

[140Mandak262Jamuna]

Did it make more than 200K by selling the data to the fraudster? Then it is mere slap in the wrist.

Sufficiently advanced creative accounting is indistinguishable from fraud. ---Arthur C Clarke.

Re:Was 200K more or less?

[AmiMoJo]

In cases where the data was sold off rather than stolen, i.e. where the company deliberately broke data protection rules, the company should be wound up. The assets would be liquidated and used to compensate innocent employees and customers, and then suppliers and if there is any left over used to fund other investigations.

Re:Was 200K more or less?

This is why I think there should be jailtime for those responsible - a fine doesn't really discourage or punish if they still end up making a profit.

And if they never get caught, they have the added bonus of even more profits from avoiding the fine completely.

Re:Was 200K more or less?

[N1AK]

Can we bring that in for companies that knowingly sell products with life threatening flaws (both Ford & GM), that illegally pollute (GE), that cooperate in unlawful surveillance (AT&T, most other carriers, and many tech companies) or do anything else that is equally bad or worse? Sure you'd put most of America's (and the rest of the worlds) workforce out of jobs, but it's a principle thing right? If a company does something like this then why on earth do people think winding the company up is the fitting punishment. The people most harmed by that decision will almost certainly not be the people who actually made the decision to do something wrong.

Re:Was 200K more or less?

[moeinvt]

The article states that they had information on 21k people and were offering it up at a price of ~20 cents per unit. Unless they were able to sell the information to 48 different customers, they took a loss.
Seems hard to believe that you could sell the same mailing list 48 times.

Re:Was 200K more or less?

[ChumpusRex2003]

The data was sold for £130 per 1,000 names/addresses - so in this case, a total of 21,000 name/address records were sold for about £2700.

In this case, they were only selling a mailing list, and not medical information. However, the reason for the ruling was that customers from pharmacies are more likely than the general public to be vulnerable, for example, being elderly or having dementia; and that the company had not made clear when signing up for an account, that they would sell the data.

Market-based approaches?

I'm not against criminal punishments for these CEOs and better regulation, but there's no reason we can't tackle this problem from multiple angles.

Would you be willing to pay slightly more for medical care and/or drugs if the provider placed a deposit with a reputable third party? If your data is sold/leaked/hacked or made public for any reason within X decades, you are then paid their deposit. This deposit should be several times more than the increase in price, since a breach is hopefully unlikely.

What about third party leak insurance? That way if you don't care about your privacy you don't have to buy it, but if your privacy is worth something to you you can insure against it leaking. Less trustworthy pharmacists would cause higher insurance rates, which is itself useful information. Insiders/hackers can already profit by selling personal info; this would help them profit by preventing a leak too.

Both of these solutions assume the damage from a leak is greater than the benefit to CEOs/hackers/advertisers/fraudsters, and that there are at least some rational health care consumers. Maybe Augur and darknet markets can test this out before normal people are subjected to it - a lot of drug data was leaked by the Silk Road.

COURTS

If the courts would get of their butts and do their damn job instead of just pretending they are, then companies that do things like this would be seriously punished and so highly motivated to not do that in the future.

Breach Not Deliberate?

[Jason+Levine]

Daniel Lee, managing director of P2U, said: "This is a regrettable incident for which we sincerely apologise. While we are grateful that the ICO recognises that our breach was not deliberate, we appreciate this was a serious matter.

Not deliberate? They advertised the records for sale and then sold the records to the fraudsters. It wasn't like their systems were hacked. This is like if I offer to watch my neighbor's house and then rent the house to my friends to throw a party in. "I'm sorry your house was trashed. This wasn't deliberate. All I did was sell my friend a copy of the key to your house for $50. Clearly, I wasn't to blame for this incident."

Re:Breach Not Deliberate?

[Anonymous+Brave+Guy]

This is like if I offer to watch my neighbor's house and then rent the house to my friends to throw a party in.

Except that as far as I know there is no law explicitly making it a criminal offence to do what you described, while the Data Protection Act does exactly that in the case we're discussing. Sadly, it's only punishable by a fine though, and the upper limit on what the Commissioner can seek is quite modest by commercial standards. The relevant law is not enforceable through powers of arrest and punishable by jail time.

Re:Breach Not Deliberate?

[whoever57]

Except that as far as I know there is no law explicitly making it a criminal offence to do what you described

How about this example: I lend my car to my next-door neighbour and he sells it. I suspect that there are laws making my neighbour's act illegal.

Should be barred from handling that type of data

for at least five years. And that should mean both the business as well as the executives involved in the deal, no matter whose flag they fly.

In the UK?

[YrWrstNtmr]

Interesting. We are continually told that UK/EU data protection laws are sooo much better than in the US and elsewhere, and this type of thing can never happen.

Re:In the UK?

[N1AK]

Because they likely are. If it was an American pharmacy they'd have contractual terms hidden somewhere giving them permission to sell your data to whomever they liked and they wouldn't be getting fined at all... Data protection laws clearly can't stop crime (in the same way that laws against murder don't stop murder); it hardly takes a genius to realise that.

Re:In the UK?

This is one example, fuckwit. The US doesn't have any protection laws outside of medical data. Everything collected in the US can be sold. So piss off with your feeble wanker sarcasm, cunt.

WHY?

[JimSadler]

Why is the fine so tiny? One would think the fine would be big enough to bankrupt the offending company.

200k fine?

[Opportunist]

Hey, that actually makes it a viable business.

1. Sell medical supplies at cost.
2. Watch people swarm you to get your cheap stuff, handing over any and all info you might want (and then some, because CHEAP!).
3. Sell their data to any and all fraudsters that could possibly want it.
4. If (and only if) someone in government wakes up and dares to move against a business for a change, pay a pittance to shut them up.

That's why I buy all my medical supplies from v1ag

That's why I buy all my medical supplies from v1agra4u2fuck.com