Remote healthcare, electronic health records, big data and wearable health-tracking technologies are among the many internet-enabled advances brought to the healthcare market. Innovations in the digital management of data are beginning to revolutionise medicine in a profound way throughout the supply chain, from clinical trials and pharmaceutical development through to the treatment stage and ongoing patient care.

The internet is also prompting a shift in the way that prescription medications are sold and distributed, with 20th century pen-and-paper models gradually giving way to online systems that emphasise convenience and, at their best, empower patients to better manage their health.

Online pharmacies: a growth market

Online pharmacies are a growth market in many parts of the world, especially in developed countries with sophisticated healthcare systems. Although the legal complexities of regulating online prescription services has meant uneven implementation in markets such as Europe, as a whole the market is developing rapidly to offer increasingly complex products and services. Many digital mail-order pharmacies are expanding their scope to incorporate online consultation clinics and integrate more effectively with their traditional brick-and-mortar retail counterparts.

"Across Europe a number of major retail groups are combining traditional pharmacy with internet pharmacy and online medical consultation services to capture specific target audiences seeking confidentiality, convenience and low prices," reads the executive summary of healthcare consultancy James Dudley Management’s Mail Order and Internet Pharmacy in Europe report, updated in 2015.

"Today, the internet and mail-order pharmacy channel is breaking through as a rapidly growing, new and challenging retail channel."

"Today, the internet and mail-order pharmacy channel is breaking through as a rapidly growing, new and challenging retail channel. It is expanding its scope to include a wide range of front-end pharmacy categories such as cosmetics, hygiene, dietary supplements and medical devices. In some European states repeat prescriptions, contraception and orthopaedic care are included in an ever widening repertoire of lines."

In the UK, Pharmacy2U, the country’s largest NHS-approved online pharmacy, was instrumental in the legalisation of online pharmacies, with a successful inspection of the company’s operations at the turn of the century providing an important proof-of-concept that led to the amendment of the Medicines Act 1968 and the Royal Pharmaceutical Society’s codes of ethics to make legal provision for the creation of online pharmacies.

But recently, the company hit the headlines for a considerably more concerning reason, unwittingly fuelling discussion around an issue that remains one of the major remaining challenges for internet-based prescription services – can they be trusted with patient data, or at all?

Pharmacy2U: the question of trust

Given the particular sensitivity and vulnerability of electronic patient data, one of the most pressing concerns regarding online pharmacies is the security and ethical handling of customers’ personal information. In March 2015 the Daily Mail reported on Pharmacy2U’s previously hidden practice of offering customer data for sale through an online marketing list company without customers’ knowledge. The newspaper’s article was followed by a complaint by health data watchdog MedConfidential and a full investigation by the Information Commissioner’s Office (ICO), the UK’s national data protection authority charged with upholding the Data Protection Act 1998.

The ICO made its ruling at the end of October, issuing a fine of £130,000 to Pharmacy2U after discovering "a serious contravention of the first data protection principle". According to investigators, the company sold the names and addresses of 21,500 NHS patients and Pharmacy2U customers, advertising that the lists would include patients with a range of health conditions, including asthma, Parkinson’s disease and erectile dysfunction. Buyers were also offered breakdowns of demographic information such as age and gender. Data was advertised at £130 per 1,000 records.

Perhaps most shockingly, there appeared to be little to no due diligence on the organisations to which this data was sold. Of the three groups that bought data, one – an Australian lottery company – is under investigation by trading standards authorities for fraud and money laundering, while another – a health supplement company based in Jersey – was adjudicated against in February 2015 by the UK Advertising Standards Authority for "misleading advertising" and making "unauthorised health claims". Although the ICO’s ruling noted it was unlikely that the backgrounds of these companies would have been known to Pharmacy2U at the time of the transactions, it shows a disturbing lack of judgement by one of the UK’s most trusted online pharmacies.

"Patient confidentiality is drummed into pharmacists," said ICO deputy commissioner David Smith when the fine was announced. "It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences. It should send a clear message to other companies that the customer data they hold is not theirs to do with as they wish."

In light of the ICO ruling, Pharmacy2U apologised for the "regrettable incident" and confirmed it would no longer sell customer data to third parties.

What can be done?

Pharmacy2U’s medical data breach so far appears to be a relatively unusual case, and although MedConfidential co-ordinator Phil Booth argued that its £130,000 fine "won’t stamp out this poisonous trade", it’s worth noting that, at a price of £130 per 1,000 records, the fine is more than 40 times more than the money the company would have made from the deals. The example set by the ICO may prove more effective than Booth suggests, though his suggestion of a "blanket, statutory ban on all marketing to patients" is a more radical measure that could be considered.

For reputable online pharmacies (and companies more widely, for that matter), there are lessons to be learned from the Pharmacy2U incident that could improve how they go about explaining their data processing policies. As noted in a blog post written by Emily Carter and Jonathan Blunden of London-based law firm Kingsley Napley, responsible companies should be moving to proactive consent models – opt-in checkboxes, rather than slyly hidden opt-out boxes – and take care to clearly explain their data policies in plain English to establish informed consent, two points on which Pharmacy2U was penalised.

"This issue will have taken a considerable toll upon Pharmacy2U’s reputation following the publication of the MPN [monetary penalty notice] and associated press attention," wrote Carter and Blunden. "In this case, it is clear that the cost of not treating personal data of customers with proper care far outweighs the benefits of the sales. This is perhaps the most important lesson of all."

"But as visible as the Pharmacy2U scandal is, it appears to be, for now, a relatively isolated occurrence."

But as visible as the Pharmacy2U scandal is, it appears to be, for now, a relatively isolated occurrence, and part of a much wider medical data security landscape – a rich tapestry of issues and vulnerabilities. Rogue, unregulated online pharmacies are rife in many markets, usually outnumbering legitimate sites – in 2012, the US Food and Drug Administration found that 96% of reviewed online pharmacies were "operating out of compliance of pharmacy laws". Sites that are willing to sell counterfeit or substandard drugs without prescription are unlikely to draw the line at data fraud.

Physical retail pharmacies are hardly immune to data security breaches either, as demonstrated by Walgreens, the US’s largest drug retailer. A Walgreens billing centre was burgled in late 2012, resulting in the leak of detailed patient computer and paper records, while in 2013, the company was criticised for its ‘Well Experience’ strategy, in which pharmacists were encouraged to walk the store to consult with customers. The initiative might have been good customer service, but advocacy group Change to Win claimed that the move left sensitive patient data unattended and in public view in 80% of locations running the initiative.

The topic of online pharmacies and patient data security is a complex tangle. The internet has introduced new concerns around data and supply chain security, but we can’t pretend these issues didn’t exist before, or only in pharmacies – and where there’s data, there will always be security risks. In any case, health systems can move closer to minimising these problems by continuing to monitor pharmacies closely and taking robust action against rule-breakers, as well as stamping out rogue operators and educating patients on reliable pharmacy channels, be they online or on the high street.