UK's Largest Online Pharmacy Sold Patients' Personal Data To Fraudsters (ibtimes.co.uk)

← Back to Stories (view on slashdot.org)

UK's Largest Online Pharmacy Sold Patients' Personal Data To Fraudsters (ibtimes.co.uk)

Posted by timothy on Tuesday October 20, 2015 @01:38AM from the we-thought-they-were-your-friends dept.

Ewan Palmer writes: The UK's biggest online pharmacy has been fined $200,000 for selling thousands of patients' personal data to scammers who targeted the sick and vulnerable. Pharmacy2U (P2U) was found to have breached the Data Protection Act for giving away details of patients to Australian Lottery fraudsters who targeted male pensioners and health supplements company that has been cautioned for misleading advertising. A company who dealt with patients who were being marketed said they had 'no idea the trade in their data was as murky as this'.

36 of 58 comments (clear)

Min score:

Reason:

Sort:

if you can't protect it, don't collect it by TheGratefulNet · 2015-10-20 01:43 · Score: 1

that's all I have to say.
oh, and any business that lets medical info about patients be hacked should be forced to go out of business and the ceo's and c-levels all should be put in jail.
if we did that, over night the security of such places would be 100% better. since there is no penalty to being incompetant, they continue to be as such.
only if there is personal pain for the c-levels would anything like this change.

--

--
"It is now safe to switch off your computer."
1. Re:if you can't protect it, don't collect it by Anonymous Coward · 2015-10-20 01:49 · Score: 5, Insightful
  
  This wasn't a hacking, it was SOLD to fraudsters
2. Re:if you can't protect it, don't collect it by gstoddart · 2015-10-20 01:52 · Score: 1
  
  only if there is personal pain for the c-levels would anything like this change.
  Pretty much this.
  None of this tiny little fine and a bullshit promise to not do it again.
  The knowledge that if this crap happens on their watch, the executives will be the ones they go after. Because as long as they don't do anything of consequence, there's no incentive for executives to stop doing crap like this. And if that fine is less than they could have sold the data for, they'll just keep doing it.
  When corporate greed and stuff like this is just going to lead to a meaningless fine, they'll just keep doing it.
  If the c-level executives knew it would be their asses on the line for crap like this, we might finally see some change.
  
  --
  Lost at C:>. Found at C.
3. Re:if you can't protect it, don't collect it by Ol+Olsoc · 2015-10-20 02:21 · Score: 1
  
  The knowledge that if this crap happens on their watch, the executives will be the ones they go after. Because as long as they don't do anything of consequence, there's no incentive for executives to stop doing crap like this.
  But you and I both know there will be new laws that punish the consumer, while the execs will be shielded from prosecution. All I know is someone in the mailroom probably was blamed for this.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
4. Re:if you can't protect it, don't collect it by invictusvoyd · 2015-10-20 02:58 · Score: 1
  
  Data on what the fraudsters (big pharma) sell to people was sold to fraudsters.
5. Re:if you can't protect it, don't collect it by Big+Hairy+Ian · 2015-10-20 03:23 · Score: 1
  
  This is just another part of the great NHS sell off.
  
  --
  Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
6. Re:if you can't protect it, don't collect it by Opportunist · 2015-10-20 04:28 · Score: 1
  
  Oh, in this case publishing the relevant C-Level's name and address along with what they did will do.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
7. Re:if you can't protect it, don't collect it by whoever57 · 2015-10-20 04:33 · Score: 3, Interesting
  
  This is just another part of the great NHS sell off.
  
  WUT?
  What has this got to do with the NHS? You know that most pharmacies in the UK (and always have been) private businesses, right?
  
  --
  The real "Libtards" are the Libertarians!
8. Re:if you can't protect it, don't collect it by mcpheat · 2015-10-20 06:10 · Score: 3, Informative
  
  What has this got to do with the NHS? You know that most pharmacies in the UK (and always have been) private businesses, right?
  20% of P2U is owned by EMIS and the CEO of EMIS is a director of P2U.
  EMIS provide the Electronic patient record systems for over half of the NHS in England
Capitalism. by Anonymous Coward · 2015-10-20 01:48 · Score: 1

Wow, only $200k, and only because of EU privacy protections that half the country are so desperate to exit? seems worthwhile to do it again.
I've never understood why the NHS contracts out to private pharmacies - just dispense directly and stop throwing money away on the profits of middlemen. It's not the 1950s anymore and, as consolidation of big business has illustrated, it's more efficient to run established industries on a huge scale with continually optimised, automated algorithms, and competition is a needless and inefficient risk. Mind you, I don't get why they haven't in-housed GP surgeries either, as the relentless drive of GPs to become more short-termist business-like and become seduced by increased salary in return for unsustainable conditions has created a crisis in primary practice.
1. Re:Capitalism. by ATMAvatar · 2015-10-20 01:52 · Score: 2
  
  Wow, only $200k, and only because of EU privacy protections that half the country are so desperate to exit? seems worthwhile to do it again.
  Exactly. With a fine that small, I have to wonder how much of a net profit the pharmacy made on selling information. The $200k is just going to get written off as a cost of doing business like most other paper tiger fines.
  
  --
  "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
Re:Too Easy... by Anonymous Coward · 2015-10-20 01:51 · Score: 1

You're a would-be murderer, and you think we should care about what you want, other than maybe getting you off the streets and into an institution?
Violates the trope by willworkforbeer · 2015-10-20 01:52 · Score: 1

Even when you're not the product, you're the product. I would go on, but I have an urge to go buy some LightSpeed Briefs.

--
Pretending this is my office full of bitter coworkers..
Do Fraudsters Matter? by Anonymous Coward · 2015-10-20 01:59 · Score: 1

I don't think the fraudsters angle of this story should matter. The issue is;
UK's Largest Online Pharmacy Sold Patients' Personal Data.
But, what are they gonna do. Absolutely nothing will happen to the offending corporation despite your outrage.
Probably more profitable by Kid+CUDA · 2015-10-20 02:04 · Score: 2

I'm pretty sure they got more than 200'000$ profit from selling this information.

That fine is ridiculous, the executives probably had it as just another line on their expenses budget, right under "coke, strippers and champagne - 300'000$"
1. Re:Probably more profitable by houghi · 2015-10-20 03:00 · Score: 1
  
  A first fine is almost always ridiculous. This is not about revenge. This is about not letting it happen again.
  If I drive through a red light, I get a fine that I can easily pay. If it happens the second time, it is a bit more and the third time I will seriously feel it.
  For me it is an apropritate fine. I disagree with all the "we should have them pay so much they go bankrupt." That is not a fine, that is an excecution and has no results in the end.
  Because if that would be the case, no crimes would be commited in countries that have a death penalty. Just kill everything that does something wrong? Kill the company in this case? Nope.
  
  --
  Don't fight for your country, if your country does not fight for you.
2. Re:Probably more profitable by whoever57 · 2015-10-20 03:52 · Score: 1
  
  A first fine is almost always ridiculous. This is not about revenge. This is about not letting it happen again.
  Unless there are some strong mitigating circumstances, the fine for this act should be sufficient to shut the company down and its directors should be personally held liable. That would not only stop this company from doing it again, but also stop any other company doing it.
  
  --
  The real "Libtards" are the Libertarians!
3. Re:Probably more profitable by Kid+CUDA · 2015-10-20 19:41 · Score: 1
  
  The problem I see with this is that it gives every company a "Get out of jail free" card. You can make millions of profit from selling customer data ... as long as you don't get caught more than once!
Privacy = $9.52 by Anonymous Coward · 2015-10-20 02:17 · Score: 3, Informative

So the article says these folks sold about 21K of their customers' records and were fined $ 200K.
Am I mistaken or this means that each customer's privacy's worth a little under $10.00?
1. Re:Privacy = $9.52 by ChumpusRex2003 · 2015-10-20 07:41 · Score: 1
  
  21,000 customer records were sold. The records contained names and addresses, and could be supplied pre-filtered by critera such as age, sex or whether a purchase had been made within the last 12 months. As far as I can tell, the records did not contain purchase history or other medical information. I would have expected the fine to be considerably higher if it had.
  
  The official enforcement notice from the information commissioner can be found at https://ico.org.uk/action-weve...
  
  In short, pharmacy2u required uses to register and provide name, address, DOB, etc. when registering a user account. During registration, there would be a checkbox to indicate consent for their details to be passed on to third parties for marketing purposes. Importantly, the box was pre-checked, so users had to actively opt-out. P2U offered their customer list for sale via an agent, allowing filtered lists (from consenting customers) to suit the client's requirement. 2 of the purchases of the customer list were obvious scammers: a classic postal lottery scam, supplements from a supplement vendor who had already been censured for making false claims. P2U executives had to personally approve the requests for sale of names/addresses. In the case of the sale of the names/addresses of 3000 elderly customers to the lottery scammers, the executive even suggested a change to the scammer's mailshot because it sounded too scammy.
  
  The reason for the fine was based on the fact that the sale of personal data to scammers was not adequately covered by the "consent to share details for marketing purposes", and the consent was dubious anyway due to the opt-out checkbox. Further, the because the P2U customers included vulnerable people, there was a significant risk of financial or medical harm to customers by allowing scammers to obtain the customer list.
Profit! by Ol+Olsoc · 2015-10-20 02:18 · Score: 1

200 thousand?
Hell, that's cheaper than paying baksheesh to politicians.
This sounds like a mere cost of doing business, like replacing ceiling lamps.

--
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Was 200K more or less? by 140Mandak262Jamuna · 2015-10-20 02:25 · Score: 2

Did it make more than 200K by selling the data to the fraudster? Then it is mere slap in the wrist.
Sufficiently advanced creative accounting is indistinguishable from fraud. ---Arthur C Clarke.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
1. Re:Was 200K more or less? by AmiMoJo · 2015-10-20 04:00 · Score: 1
  
  In cases where the data was sold off rather than stolen, i.e. where the company deliberately broke data protection rules, the company should be wound up. The assets would be liquidated and used to compensate innocent employees and customers, and then suppliers and if there is any left over used to fund other investigations.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
2. Re:Was 200K more or less? by N1AK · 2015-10-20 04:37 · Score: 1
  
  Can we bring that in for companies that knowingly sell products with life threatening flaws (both Ford & GM), that illegally pollute (GE), that cooperate in unlawful surveillance (AT&T, most other carriers, and many tech companies) or do anything else that is equally bad or worse? Sure you'd put most of America's (and the rest of the worlds) workforce out of jobs, but it's a principle thing right? If a company does something like this then why on earth do people think winding the company up is the fitting punishment. The people most harmed by that decision will almost certainly not be the people who actually made the decision to do something wrong.
3. Re:Was 200K more or less? by moeinvt · 2015-10-20 05:49 · Score: 1
  
  The article states that they had information on 21k people and were offering it up at a price of ~20 cents per unit. Unless they were able to sell the information to 48 different customers, they took a loss.
  Seems hard to believe that you could sell the same mailing list 48 times.
4. Re:Was 200K more or less? by ChumpusRex2003 · 2015-10-20 05:52 · Score: 1
  
  The data was sold for £130 per 1,000 names/addresses - so in this case, a total of 21,000 name/address records were sold for about £2700.
  
  In this case, they were only selling a mailing list, and not medical information. However, the reason for the ruling was that customers from pharmacies are more likely than the general public to be vulnerable, for example, being elderly or having dementia; and that the company had not made clear when signing up for an account, that they would sell the data.
Re:Too Easy... by fuzzyfuzzyfungus · 2015-10-20 02:26 · Score: 1

The UK used to be substantially harder on the riffraff, debtors, and similar underclass trash; but can you point me to a time where the great and good of society were at greater risk?
Breach Not Deliberate? by Jason+Levine · 2015-10-20 02:49 · Score: 2

Daniel Lee, managing director of P2U, said: "This is a regrettable incident for which we sincerely apologise. While we are grateful that the ICO recognises that our breach was not deliberate, we appreciate this was a serious matter.
Not deliberate? They advertised the records for sale and then sold the records to the fraudsters. It wasn't like their systems were hacked. This is like if I offer to watch my neighbor's house and then rent the house to my friends to throw a party in. "I'm sorry your house was trashed. This wasn't deliberate. All I did was sell my friend a copy of the key to your house for $50. Clearly, I wasn't to blame for this incident."

--
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
1. Re:Breach Not Deliberate? by Anonymous+Brave+Guy · 2015-10-20 03:25 · Score: 2
  
  This is like if I offer to watch my neighbor's house and then rent the house to my friends to throw a party in.
  Except that as far as I know there is no law explicitly making it a criminal offence to do what you described, while the Data Protection Act does exactly that in the case we're discussing. Sadly, it's only punishable by a fine though, and the upper limit on what the Commissioner can seek is quite modest by commercial standards. The relevant law is not enforceable through powers of arrest and punishable by jail time.
  
  --
  If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
2. Re:Breach Not Deliberate? by whoever57 · 2015-10-20 04:26 · Score: 1
  
  Except that as far as I know there is no law explicitly making it a criminal offence to do what you described
  How about this example: I lend my car to my next-door neighbour and he sells it. I suspect that there are laws making my neighbour's act illegal.
  
  --
  The real "Libtards" are the Libertarians!
In the UK? by YrWrstNtmr · 2015-10-20 03:49 · Score: 3, Insightful

Interesting. We are continually told that UK/EU data protection laws are sooo much better than in the US and elsewhere, and this type of thing can never happen.
1. Re:In the UK? by N1AK · 2015-10-20 04:40 · Score: 2
  
  Because they likely are. If it was an American pharmacy they'd have contractual terms hidden somewhere giving them permission to sell your data to whomever they liked and they wouldn't be getting fined at all... Data protection laws clearly can't stop crime (in the same way that laws against murder don't stop murder); it hardly takes a genius to realise that.
WHY? by JimSadler · 2015-10-20 03:51 · Score: 1

Why is the fine so tiny? One would think the fine would be big enough to bankrupt the offending company.
Re:Meh by Opportunist · 2015-10-20 04:29 · Score: 1

Why should they care?
The formula for whether a crime is committed or not is simply
profit / (chance of being caught * fine if caught)
If larger 1, DO IT.
And bluntly, if (like most likely in this case) the fine is lower than the profit, the chance of being caught can as well be 1 (certainty) and the outcome is still DO IT.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Re:200.000$ only ? by Opportunist · 2015-10-20 04:31 · Score: 2

Hey, be reasonable! They only sold the data of sick people needing medical aid, they didn't download copyrighted songs!

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
200k fine? by Opportunist · 2015-10-20 04:34 · Score: 1

Hey, that actually makes it a viable business.
1. Sell medical supplies at cost.
2. Watch people swarm you to get your cheap stuff, handing over any and all info you might want (and then some, because CHEAP!).
3. Sell their data to any and all fraudsters that could possibly want it.
4. If (and only if) someone in government wakes up and dares to move against a business for a change, pay a pittance to shut them up.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.