GPhC suspends ex-Tesco pharmacist for ‘extremely large’ data breach
A pharmacist who sent an “extremely large” amount of private patient data to his personal email while working for Tesco in 2019 has been suspended for three months by the GPhC.
On April 25-27 the GPhC’s fitness to practise committee considered the case of Adal Bashir, a Manchester pharmacist who first qualified in 2015. While working at the Ellesmere Shopping Centre branch of Tesco Pharmacy in February 2019, he sent himself a spreadsheet from his work email containing roughly 83,000 rows of data that he had downloaded from the pharmacy PMR.
The data included items such patients’ names, dates of birth, NHS numbers, contact details and GP details. The data transfer was identified by the Tesco Data Leak Prevention Tool (DLP) on February 15 2019.
When first approached by the superintendent pharmacist, he initially denied the allegations but then said he had “inadvertently” sent it to himself and that he had meant to “focus recruitment by highlighting patients who are not using the services on a regular basis”. He repeated this in December 2019 when the GPhC was investigating the case.
However, Mr Bashir, who was also working as a superintendent at online pharmacy Pharmacydirect at the time in question, now admits that he meant to use the data for his own personal and/or financial purposes, and that his initial response to the allegations had been dishonest.
In his witness statement and oral evidence, Mr Bashir said he had been unhappy in his role at Tesco and felt he had been “overlooked,” citing this as a factor influencing his actions. He also said he quickly realised the serious nature of his actions and then acted immediately to destroy the data.
“it was just an impulsive thought process driven by emotion and anger… a lot of anxiety as well,” he said, adding that he had not discussed his actions with anyone at Pharmadirect at any prior point.
In his written evidence and oral testimony, Mr Bashir expressed remorse for his actions and demonstrated an understanding of the potential impact on patients. He provided evidence of his remedial efforts, which include courses in GDPR and ethics, as well as a written strategy on preventing data breaches in pharmacy, saying: “This will limit impulsive and reckless decision making like I did when I sent the data to myself for personal gain.”
He also produced testimonials, including one from his current employer 5 health solutions, which said he had “made significant contributions to the pharmacy’s operations, including data handling and GDPR practice relating to protecting patient data and regulatory compliance”.
Representing the GPhC, barrister Matthew Corrie said Mr Bashir’s actions in transferring “an extremely large amount of confidential patient data” for his own interests amounted to misconduct, and that a finding of impairment was needed to protect the public interest.
Considering the evidence put before it, the FtP committee found that although Mr Bashir was a “credible witness who was careful and reflective” he had breached fundamental standards of his profession by undermining patient confidentiality and being dishonest when first confronted. It concluded that a warning or conditions on his licence would not be sufficient to safeguard the public interest.
The committee noted that since the allegations he has worked as a pharmacist with no further concerns raised against his practice, and that there is no evidence patients came to harm as a result of his actions.
It concluded: “Suspension is a very serious sanction and, taking into account Mr Bashir’s high level of insight and remediation, we considered that a 3 month suspension would suffice to uphold the standards and public confidence in the profession. This will, to an extent, mitigate the financial and career impact of the suspension on Mr Bashir.”