Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK's Largest Online Pharmacy Sold Patients' Personal Data To Fraudsters (ibtimes.co.uk)

Posted by timothy on from the we-thought-they-were-your-friends dept.

Ewan Palmer writes: The UK's biggest online pharmacy has been fined $200,000 for selling thousands of patients' personal data to scammers who targeted the sick and vulnerable. Pharmacy2U (P2U) was found to have breached the Data Protection Act for giving away details of patients to Australian Lottery fraudsters who targeted male pensioners and health supplements company that has been cautioned for misleading advertising. A company who dealt with patients who were being marketed said they had 'no idea the trade in their data was as murky as this'.

12 of 58 comments (clear)

  1. Re:if you can't protect it, don't collect it by Anonymous Coward · · Score: 5, Insightful

    This wasn't a hacking, it was SOLD to fraudsters

  2. Re:Capitalism. by ATMAvatar · · Score: 2

    Wow, only $200k, and only because of EU privacy protections that half the country are so desperate to exit? seems worthwhile to do it again.

    Exactly. With a fine that small, I have to wonder how much of a net profit the pharmacy made on selling information. The $200k is just going to get written off as a cost of doing business like most other paper tiger fines.

    --
    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
  3. Probably more profitable by Kid+CUDA · · Score: 2

    I'm pretty sure they got more than 200'000$ profit from selling this information.

    That fine is ridiculous, the executives probably had it as just another line on their expenses budget, right under "coke, strippers and champagne - 300'000$"

  4. Privacy = $9.52 by Anonymous Coward · · Score: 3, Informative

    So the article says these folks sold about 21K of their customers' records and were fined $ 200K.

    Am I mistaken or this means that each customer's privacy's worth a little under $10.00?

  5. Was 200K more or less? by 140Mandak262Jamuna · · Score: 2
    Did it make more than 200K by selling the data to the fraudster? Then it is mere slap in the wrist.

    Sufficiently advanced creative accounting is indistinguishable from fraud. ---Arthur C Clarke.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  6. Breach Not Deliberate? by Jason+Levine · · Score: 2

    Daniel Lee, managing director of P2U, said: "This is a regrettable incident for which we sincerely apologise. While we are grateful that the ICO recognises that our breach was not deliberate, we appreciate this was a serious matter.

    Not deliberate? They advertised the records for sale and then sold the records to the fraudsters. It wasn't like their systems were hacked. This is like if I offer to watch my neighbor's house and then rent the house to my friends to throw a party in. "I'm sorry your house was trashed. This wasn't deliberate. All I did was sell my friend a copy of the key to your house for $50. Clearly, I wasn't to blame for this incident."

    --
    My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    1. Re:Breach Not Deliberate? by Anonymous+Brave+Guy · · Score: 2

      This is like if I offer to watch my neighbor's house and then rent the house to my friends to throw a party in.

      Except that as far as I know there is no law explicitly making it a criminal offence to do what you described, while the Data Protection Act does exactly that in the case we're discussing. Sadly, it's only punishable by a fine though, and the upper limit on what the Commissioner can seek is quite modest by commercial standards. The relevant law is not enforceable through powers of arrest and punishable by jail time.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  7. In the UK? by YrWrstNtmr · · Score: 3, Insightful

    Interesting. We are continually told that UK/EU data protection laws are sooo much better than in the US and elsewhere, and this type of thing can never happen.

    1. Re:In the UK? by N1AK · · Score: 2

      Because they likely are. If it was an American pharmacy they'd have contractual terms hidden somewhere giving them permission to sell your data to whomever they liked and they wouldn't be getting fined at all... Data protection laws clearly can't stop crime (in the same way that laws against murder don't stop murder); it hardly takes a genius to realise that.

  8. Re:200.000$ only ? by Opportunist · · Score: 2

    Hey, be reasonable! They only sold the data of sick people needing medical aid, they didn't download copyrighted songs!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. Re:if you can't protect it, don't collect it by whoever57 · · Score: 3, Interesting

    This is just another part of the great NHS sell off.

    WUT?

    What has this got to do with the NHS? You know that most pharmacies in the UK (and always have been) private businesses, right?

    --
    The real "Libtards" are the Libertarians!
  10. Re:if you can't protect it, don't collect it by mcpheat · · Score: 3, Informative

    What has this got to do with the NHS? You know that most pharmacies in the UK (and always have been) private businesses, right?

    20% of P2U is owned by EMIS and the CEO of EMIS is a director of P2U.

    EMIS provide the Electronic patient record systems for over half of the NHS in England