A London pharmacy has been fined £275,000 for its “cavalier attitude to data protection”, having left 500,000 patient records in an unsecured location since at least May 2018.
The fine, issued by the Information Commissioners Office (ICO) on 17 December 2019, is the first to be issued under the General Data Protection Regulation (GDPR), which came into force on 25 May 2018.
Doorstep Dispensaree, on Burnt Oak Broadway in Edgware, was found to have left “approximately 500,000 documents” in unlocked crates, disposal bags and a cardboard box in a rear courtyard of the premises.
According to an enforcement notice issued by the ICO, the documents contained names, addresses, dates of birth, NHS numbers, medical information and prescriptions dated from between January 2016 to June 2018.
The ICO said the documents were “not secure and they were not marked as confidential waste”, adding that some “were soaking wet, indicating that they had been stored in this way for some time”.
The ICO said it was unable to confirm the exact duration of the data breach but said it was “satisfied that it has been occurring, to some extent, since at least 25 May 2018”.
An accompanying ICO penalty notice, also published on 17 December 2019, said: “The data subjects can be very readily identified and linked to data concerning their health.
“Given the nature of Doorstep Dispensaree’s business supplying medicines to care homes, it appears likely that a high proportion of the affected data subjects are elderly or otherwise vulnerable.”
While the ICO said the number of people “affected by the breach cannot be confirmed,” it estimated that the documents “related to around 78 care homes”.
“Regardless of the exact number of care homes involved, given the volume of documentation and size of Doorstep Dispensaree’s business, it appears likely that hundreds and possibly even thousands of data subjects have been affected,” the penalty document said.
The Medicines and Healthcare Regulatory Agency (MHRA) initially discovered the storage of documents in the pharmacy’s courtyard on 24 July 2018, while it was conducting its own investigation into alleged unlicensed and unregulated storage and distribution of medicines by the pharmacy.
The information from the MHRA led the ICO to begin investigating the company’s compliance with GDPR on 15 August 2018, which found that most of the pharmacy’s procedures relating to data processing had not been updated since April 2015 – three years before the introduction of GDPR.
The ICO concluded that the company had failed to ensure the “appropriate security” of the personal data it processes and had “processed personal data in an insecure manner”, in contravention of GDPR Articles 5(1) (f), 24(1) and 32.
In deciding on the appropriate penalty for the pharmacy, the ICO said it “considers that the breach was extremely serious and demonstrates a cavalier attitude to data protection”, adding that the commissioner “is mindful that the penalty must be effective, proportionate and dissuasive”.
“Taking all the above factors into account, the commissioner has decided to impose a penalty in the sum of £275,000,” the penalty notice said, which the pharmacy will be expected to pay by 17 January 2020.
The penalty notice states that no further action was taken in regard to the MHRA’s initial investigation, as it concluded that there was insufficient evidence to support a reasonable prospect of conviction.
Steve Eckersley, director of investigations at the ICO said: “The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss.
“This falls short of what the law expects and it falls short of what people expect.”
The Pharmaceutical Journal has approached Doorstep Dispensaree for comment.