Online pharmacy Pharmacy 2U has been charged with a £130,000 fine for selling customer details to a marketing company without consent.
In an investigation, the Information Commissioners Office found that around 20,000 customer details were offered for sale through an online marketing list company.
The ICO said that Pharmacy 2U has breached the Data Protection Act as it offered to sell customers' names and addresses to other companies without consent. Companies that bought the details included a health supplements company that has been cautioned for misleading advertising and an Australian lottery company, which is currently under investigation by Trading Standards.
"As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed," Pharmacy 2U managing director Daniel Lee said. "We have also confirmed that we will no longer sell customer data."
Privacy group medConfidential, which informed the ICO of the practice, welcomed the fine but added that more action needs to be taken.
"Vulnerable people shouldn't be exposed to this sort of harm and distress, but what's doubly appalling is that this was done by the largest NHS-approved online pharmacy in the country, which is part-owned by the company that provides a majority of GPs with their medical records systems," medConfidential coordinator Phil Booth said.
"Six-figure fines alone won't stamp out this poisonous trade; not when there's so much profit to be made. There must now be a blanket, statutory ban on all marketing to patients. Those who profiteer from patients' data are predators and should face prison when they are caught."