Pharmacy data breach results in first ever GDPR fine
A London-based pharmacy has been fined £275,000 by the Information Commissioner's Office (ICO) for a significant data breach failure. This is the first fine issued for breaching General Data Protection Regulation (GDPR) rules.
What happened in this case?
Doorstep Dispensaree Ltd left approximately 500,000 documents in unlocked crates, disposal bags and a cardboard box at the back of its premises in Edgware. The data had been there for some time. The documents were "not secure and they were not marked as confidential waste".
Following its investigation, the ICO accused the pharmacy - which supplies medicines to thousands of elderly care home residents - of having a "cavalier attitude to data protection".
According to the ICO penalty notice:
"The data subjects can be very readily identified and linked to data concerning their health.
"Given the nature of Doorstep Dispensaree's business supplying medicines to care homes, it appears likely that a high proportion of the affected data subjects are elderly or otherwise vulnerable."
Thousands of people may have been affected
The number of people affected by the breach cannot be confirmed. However, the documents relate to around 78 care homes. The ICO has said:
"Regardless of the exact number of care homes involved, given the volume of documentation and size of Doorstep Dispensaree's business, it appears likely that hundreds and possibly even thousands of data subjects have been affected"
What data was put at risk in this pharmacy data breach?
The documents included in this breach included:
- Names
- Addresses
- Dates of birth
- NHS numbers
- Medical information
- Prescriptions
The mishandled information was dated between June 2016 and June 2018. As well as not being appropriately secured, many of the documents were not protected against the elements. As a result, they were soaking wet.
In the UK, data must be handled in a way that protects against unauthorised or unlawful processing, accidental loss, destruction or damage. A failure to do this is an infringement of the GDPR.
Special category data
The data exposed in this privacy failure is classed as 'special category data'. Special category data is personal data that needs more protection because it is sensitive. For example, health data, information about sexuality, religion or political beliefs. You can find out more about special category data here.
Several conditions must be adhered to when processing special category data. It is highly unlikely (if not impossible) that any pharmacy wouldn't know about their obligations under the UK's data protection laws. So, it is right that the ICO has fined Doorstep Dispensaree.
What has the ICO said about this pharmacy data breach?
The ICO is the UK's independent regulator for data protection law. Among other things, the ICO helps to uphold and protect our information rights as individuals.
When setting the fine, the ICO only considered the violation from 25 May 2018. This is when the GDPR came into effect. This allowed the ICO to issue a larger fine that would have been possible under old data protection legislation.
Commenting on its investigation into Doorstep Dispensaree, Steve Eckersley, Director of Investigations at the ICO said:
"The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects, and it falls short of what people expect."
The pharmacy has also been ordered to improve its data protection practices within three months. Failure to do this could result in further action.
What can you do if this data breach impacted you?
While the ICO has the power to impose hefty fines on organisations who fail to meet their data protection obligations, it does not award compensation to victims. But, once an organisation has been found guilty of a breach by the ICO - as in this case - you can use that information to support a data protection compensation claim.
Experts in helping people who have suffered a medical data breach violation, at Hayes Connor Solicitors, we have all the experience needed to help people who have been affected by the Doorstep Dispensaree data breach.
Why choose Hayes Connor Solicitors?
We are an established and trusted firm that has been helping people to claim compensation for over 50 years.
Our solicitors are true specialists in data protection law. Unlike other firms, it is all we do, and we have been doing it for longer than most. As such, we lead the way when it comes to understanding the complexities involved. We are confident that our team will get the best possible result for you.
Just as important, by making sure you are fully informed at all times, we ensure a stress-free experience from start to finish.
Your data rights matter
Crucially, at Hayes Connor, we are committed to upholding your data rights. As such, you do not need to have suffered any financial loss or emotional distress to make a claim against Doorstep Dispensaree. The fact that you have suffered a privacy violation gives you the right to claim compensation.
Furthermore, claiming compensation isn't just in your best interests; it is often the only way organisations are persuaded to take their responsibilities seriously and make the necessary improvements.
Contact Hayes Connor Solicitors today for a free, confidential assessment of your case.
If you are worried that you or someone you love, had their data breached by Doorstep Dispensaree, contact us to speak to us about your experience.
If you have a reasonable chance of winning, we will act for you on a NO WIN, NO FEE basis. That means, if your compensation claim is unsuccessful, you'll have absolutely nothing to pay. There is nothing to lose by getting in touch, and there's never any obligation to make a claim.