An online pharmacy part-owned by Emis Health faces a £130,000 fine after it sold customer details to a direct marketing company.

An Information Commissioner's Office report says that information from 21,500 patients who used the Pharmacy2U service had been offered for sale through Alchemy Direct Media during November and December 2014. 

These details were purchased by several companies, including Healthy Marketing, a mail-order health supplements company that the ICO said has been cautioned for an advertisement that contained unauthorised health claims. 

Other recipients include an Australian lottery company that is under investigation by Trading Standards for fraud and money laundering. Also Black Kite Media, which ordered patient details on behalf of Camphill Village Trust, a charity that manages communities for people with disabilities.

The ICO inquiry was launched in spring after an investigation by the Daily Mail prompted health data privacy campaign group medConfidential to make a formal complaint.  

The ICO found that Pharmacy 2U had breached the Data Protection Act by not informing its customers that it intended to sell their details and that the customers had not given their consent for their personal data to be sold on. 

The fine is the first ever issued by the ICO for 'unfair processing' of data, a breach of the first principle of the Data Protection Act.

David Smith, deputy commissioner of the ICO said it was “inconceivable that a business in this sector could believe these actions were acceptable”.

“Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that.”

The ICO said that the Australian lottery firm appeared to have “deliberately targeted elderly and vulnerable individuals” by ordering 3,000 records relating to males aged 70 or over.

These men received a mailer saying they had been selected to “win millions of dollars” and were asked to complete and return a form within seven days along with payment of an unspecified sum of money. The ICO commented that it is likely customers will have “suffered financially” as a result.

Pharmacy2U’s actions were heavily criticised by Phil Booth, founder of medConfidential.

He said: “When medConfidential made a complaint to the Information Commissioner on behalf of patients who were being marketed, we’d no idea the trade in their data was as murky as this.”

“Vulnerable people shouldn’t be exposed to this sort of harm and distress, but what’s doubly appalling is that this was done by the largest NHS-approved online pharmacy in the country, which is part-owned by the company [Emis] that provides a majority of GPs with their medical records systems.”

Emis, which has a 20% stake in Pharmacy2U, told Digital Health News that it was “extremely concerned when this issue was originally reported” and that it was taking the ICO announcement “very seriously”.

The company’s chief executive Chris Spencer said: “The decision by Pharmacy2U to sell data was made without my personal knowledge or authority as a non-executive Pharmacy2U board member, or that of anyone at EMIS Group PLC.”

He added that the decision to sell data was made by the day-to-day management team at Pharmacy2U and was not discussed at board level.

In a statement Daniel Lee, managing director of Pharmacy2U, said: “This is a regrettable incident for which we sincerely apologise.”

He added that the company only sold names and postal addresses of people and that it plans to implement a prior consent model for its own marketing and will no longer sell customer data. 

Lee also mentioned that it had no information available at the time to know that the lottery company was under investigation by Trading Standards and that Healthy Marketing had been subject to a complaint about its advertising.

Pharmacy Voice, which represents community pharmacies in the UK, said: “Maintaining the confidentiality of patient data is both an ethical and legal requirement for pharmacies. Patients who use pharmacies either online or in the High Street must be guaranteed that their personal details will not be shared with third parties unless they have specifically provided consent.”

Booth added that fines won’t stamp out the problem of selling patient data and that it was necessary to create a blanket ban on all direct marketing based on medical information.