Pharmacist Suspended for Three Months After Data Breach Involving Tesco 83,000 Patients

The General Pharmaceutical Council (GPhC) Fitness to Practise Committee investigated a pharmacist after he was caught transferring confidential patient data to his personal email account while working at Tesco Pharmacy.

Between 9 and 15 February 2019, he:

1. Extracted a database containing confidential patient records from the Tesco pharmacy system (RxWeb).
2. Sent an email from his Tesco account to his personal email, attaching an Excel spreadsheet with 83,000 patient records.
3. Denied involvement when initially questioned but later admitted to the breach.
4. Claimed he planned to use the data for “business growth” at an online pharmacy (Pharmadirect).

The GPhC was alerted after Tesco’s Data Leak Prevention (DLP) tool flagged the unauthorised transfer.

Findings:

The Fitness to Practise Committee found that the pharmacist’s conduct amounted to serious professional misconduct, considering:

1. Mass Data Breach with Business Motives:
   • The pharmacist accessed patient information without clinical justification.
   • He intended to use the data to identify potential customers for Pharmadirect, an online pharmacy he was involved with.
   • The committee found that his actions were financially and professionally motivated.
2. Dishonest Attempt to Conceal the Breach:
   • When questioned by Tesco’s Superintendent Pharmacist, he denied involvement.
   • That same evening, he emailed an apology, claiming the transfer was “inadvertent”.
   • However, he later admitted that his primary motivation was business growth.
3. Risk to Patient Confidentiality:
   • The data included highly sensitive patient information, putting patients at risk of potential misuse.
   • The committee noted that:“The misappropriation of a large volume of confidential patient data from a pharmacy setting has particularly severe consequences in terms of public confidence.”
4. Delayed Acceptance of Full Responsibility:
   • The pharmacist initially denied dishonesty when responding to the GPhC investigation in 2019.
   • It was only in April 2023, shortly before the hearing, that he fully admitted intending to use the data for personal or financial gain.

GPhC Determination on Impairment:

The GPhC ruled that the pharmacist’s fitness to practise was impaired, citing:

• The sheer volume of patient records involved.
• The deliberate and dishonest nature of the misconduct.
• The damage to public confidence in pharmacy data security.

The committee stated:

“This case raises serious concerns about the security of confidential patient information and public trust in the profession.”

However, the committee acknowledged that:

• The pharmacist had demonstrated remorse and completed remedial training on data security.
• He had reflected on the risks of data misuse and proposed governance improvements at his new workplace.
• There was no evidence that the data was ever actually misused.

Given these factors, the committee found that:

“While this misconduct was serious, the risk of recurrence is low. A period of suspension is proportionate to maintain public confidence.”

Sanction:

The committee imposed a three-month suspension, considering:

• Aggravating Factors:
  • Massive data breach involving 83,000 patients.
  • Dishonesty in concealing the breach.
  • Intended to use the data for business purposes.
• Mitigating Factors:
  • The pharmacist admitted wrongdoing before the hearing.
  • No evidence that the data was actually used or misused.
  • He had since taken training courses on data security and professional ethics.
  • He had strong testimonials from employers, confirming that he had changed his approach to data handling.

The committee ruled that:

“A suspension of three months is proportionate. It marks the seriousness of the case but allows the pharmacist to return to practice once the period has elapsed.”

Key Learning Points for Pharmacy Professionals:

This case highlights critical lessons regarding data security, professional honesty, and public trust in pharmacy practice.

1. Patient Data Must Never Be Used for Personal or Business Gain:
   • Extracting patient data for any reason other than clinical care is a serious breach of confidentiality.
   • Business motives do not justify unauthorised access to patient information.
2. Dishonesty Can Worsen Regulatory Consequences:
   • The pharmacist initially denied involvement, which prolonged the investigation.
   • Regulators view concealment as an aggravating factor.
3. Data Security Systems Can Detect Breaches:
   • Tesco’s Data Leak Prevention (DLP) system identified the unauthorised transfer.
   • Pharmacists should assume that all digital activity is monitored and comply with data security policies.
4. Remedial Action Can Mitigate Sanctions:
   • The pharmacist avoided removal from the register because he showed insight and engaged in training.
   • Demonstrating learning and improvement is crucial in fitness to practise cases.
5. Public Trust in Pharmacy Relies on Confidentiality:
   • Patients must feel confident that their personal data is safe.
   • Even unintentional breaches can damage public perception of pharmacy services.

Conclusion:

This case serves as a strong reminder that data security is a fundamental professional responsibility.

While the pharmacist avoided removal from the register, the three-month suspension reflects the severity of mishandling patient data.

Pharmacists must prioritise patient confidentiality at all times, ensuring that professional and ethical responsibilities are upheld.