CCG and ICO probe pharmacy firm's access to patient details

East Staffordshire CCG is looking into an allegation by a member of the public who attended a governing body meeting that Pharmacy2U had accessed the details of the GP surgeries patients were registered with.

In governing body meeting minutes from 27 April, published by the CCG on 29 June, John Bridges claimed Pharmacy2U were using a “known association” with GP patient record supplier EMIS to gain access to the details of patients’ GPs. He said leaflets were being received with patients’ GP surgeries printed on them.

EMIS was previously a shareholder in Pharmacy2U. The company told HSJ it disposed of its shares in July 2016.

According to the minutes the CCG’s response was: “This is concerning information and Wendy Kerr [chief finance officer] will take this through the medicines optimisation route to investigate.”

However, the response continued: “It could be as simple as the company taking a guess as [to] which surgery you are attributed to dependant on the area in which you live.”

East Staffordshire CCG told HSJ it was looking into the matter but has refused to comment further.

The ICO has also confirmed that it was already “aware of a potential situation involving Pharmacy2U and East Staffordshire CCG and [is] making enquiries.”

The Alrewas GP surgery in East Staffordshire CCG’s area, has published a notice telling patients: “Many local residents have received a promotional letter from a company called Pharmacy2U. Please be aware that this has not come from the surgery and is a marketing tactic.” 

Pharmacy2U is authorised to link to EMIS Group software in order to deliver the NHS electronic prescription service. The firm is able to access patient information to dispense medication if it has been instructed by the patient.

A spokesman for Pharmacy2U said: “Pharmacy2U does not access patient data through the EMIS Group software for marketing purposes.

“Like most companies we will send information to people who we believe would benefit from our service – typically people who live near to surgeries that are electronic prescription service enabled.”

A spokeswoman from EMIS said: “We do not share patient data with any third party unless there is appropriate patient consent in place for us to do so and for the sole purpose of supporting the patient’s care and where instructed to by the NHS organisation responsible for their care.”

Pharmacy2U was previously fined by the Information Commissioners Office in 2015 for selling the details of 20,000 customers to marketing companies without their consent.