By Kieron JH · 28 August 2025 · The Reasonable Adjustment
We’ve now issued formal pre-action correspondence to IPS Pharma’s legal representatives at NPA Insurance following a serious data breach and prolonged GDPR non-compliance. The correspondence, sent directly to Ms Alicia Day (as instructed), outlines clear legal concerns about a misdirected prescription email containing a live payment link, and their ongoing failure to respond to a Subject Access Request (SAR) submitted on 24 July 2025.
📍 The Breach
On 22 April 2025, IPS Pharma mistakenly sent a live “Pay Now” link intended for another patient to our founder. Though he immediately recognised the error and took no further action, this still constitutes a personal data breach involving special category health data. There has been no confirmation of ICO notification, no explanation of how the breach occurred, and—most worryingly—no accountability.
📬 Subject Access Request Ignored
The GDPR-mandated one-month deadline to respond to the SAR passed on 24 August 2025 with no compliant reply. We’ve now asked IPS to provide a full Article 15 response, including internal logs, retention policies, and breach-related documentation. Their legal obligation is clear. Their silence is not.
🕰️ A Privacy Policy Stuck in 2018
IPS’s publicly available privacy notice was last updated on 25 May 2018 and still refers to GDPR “transitional periods.” Seven years later, this raises legitimate questions about:
- 📉 Outdated governance and internal training
- 📜 Possible misstatements to patients about how their data is used
- 🛑 Whether IPS has upheld its duties as a data controller under UK GDPR
📄 What We’ve Asked For
Our pre-action correspondence is clear, thorough, and proportionate. It asks IPS and their legal team to respond to the following by 11 September 2025:
- 🔍 A root cause analysis of the breach
- 🧰 Details of existing and missing failsafes in their email and data workflow
- 🧾 Confirmation of regulatory notifications, training dates, and DPIAs
- 🧑⚖️ A complete SAR response under Article 15 UK GDPR
- 🧩 Clarifications on data transfers, third-party disclosures, and retention timelines
⏳ IPS Pharma Now On The Clock
They have until Monday 1 September to acknowledge receipt, and until Thursday 11 September to provide a full response or a detailed investigation plan. If they fail to comply, we reserve the right to refer the matter to the ICO, pursue court proceedings under the Data Protection Act 2018, and seek damages for non-material harm and distress.
🔍 Why This Matters
This isn’t about bureaucracy. It’s about basic trust and safe handling of medical data. When a prescription is misdirected, it’s not just a breach of policy — it’s a breach of patient safety, privacy, and dignity. Add to that a GDPR deadline breach and a stale privacy policy, and the legal risk compounds fast.
“Their privacy policy is a legal time capsule from May 2018. The world has moved on. Their data governance clearly hasn’t.”
🧠 From Passive Patient to Reluctant Litigant
We did not come into this seeking legal escalation. But silence, denial, and retaliation have consequences. Our founder made it clear: resolve the issue respectfully, or defend it publicly. The ball is now in their court. And we’ve got the case files ready.
If you’ve had similar issues with prescription providers, SARs, or data protection breaches, get in touch.
The Reasonable Adjustment
An independent advocacy platform politely causing confusion for disorganised institutions, one lawful request at a time.





Be First to Comment