Pharmacies urged to be alert to GDPR themed scam emails
Community Pharmacy England is aware of a recent increase in scam emails being sent to community pharmacies.
Some of these messages falsely claim that the pharmacy is under investigation for a data protection or GDPR compliance breach.
These emails can appear convincing at first glance. However, they often feature significant warning signs and should be deleted without responding.
Typical features of the scam:
- May be sent from free webmail accounts, such as Gmail, rather than official domains used by the NHS, the Information Commissioner’s Office
- Claims that the pharmacy is subject to a mandatory GDPR investigation
- Threats of urgent deadlines or potential enforcement action
- When you hover over a link (without clicking it) on a desktop, you can see if the ‘real’ web address differs from the ‘displayed’ one, and seems suspicious
What pharmacies should do when suspicious of an email
- Do not open any attachments
- Do not click links
- Mark it as spam and/or delete
- Report suspicious messages to report@phishing.gov.uk
- If the message arrived via an @nhs.net inbox, use the nhs.net phishing reporting function
Key reassurance for pharmacy teams
The ICO, the UK’s independent body responsible for upholding information rights, promoting data privacy for individuals, and enforcing data protection laws, does not initiate regulatory action through unsolicited emails sent to general inboxes.
NHS England and the Department of Health and Social Care would never direct pharmacies to respond to a private company regarding a GDPR investigation.
The emails have led to some pharmacy owners questioning if the nominated DPO must be independent.
Pharmacies should have a DPO, and if they have not appointed one, this must be actioned.
NHS England advice states:
“ICO advice is when a Pharmacy Manager (or staff member) becomes a DPO, the decision and reasons behind it should be documented and retained as part of the ‘accountability’ that GDPR requires. They also said, where possible, that any conflicts of interest between a person’s current role and that of DPO should be recorded along (again where possible) with mitigating measures to reduce or even eliminate such conflicts. Where they have to deal with a small public authority with the requirement for a DPO to be appointed, they intend to be as pragmatic as they can be.”
We have some information about DPOs on our GDPR and data security roles pages and within our Data Security and Protection Toolkit (DSPTK) guidance.
Support
Community Pharmacy England will continue to monitor this activity and inform NHS cyber and NHS.net Connect (formerly NHSmail) colleagues to support pharmacy teams remain as protected as possible.
Reference to guidance (17th February 2026)
Some recent variants of these GDPR‑themed spam emails have also referenced Community Pharmacy England and its guidance.
Update: Speculative GDPR breach claims targeting pharmacies (15th April 2026)
We are aware of emails and messages being sent to pharmacies that claim a data security breach has occurred, sometimes suggesting that the pharmacy is at risk of investigation or legal action.
In some cases, these messages purport to come from patients or members of the public who allege that personal data was submitted online or mishandled. However, there have been examples where the individual has had no genuine prior interaction with the pharmacy. Some approaches may be linked to speculative or “no win, no fee” activity.
Pharmacies should remain cautious, verify the source of any such messages, and avoid sharing information unless they are confident the request is legitimate. Where appropriate, LPCs may be able to advise if they have seen similar examples locally. Suspicious messages can be marked as spam to help reduce similar campaigns over time.
This should be distinguished from genuine information governance enquiries from real patients, which should continue to be handled appropriately and professionally in line with existing practice.
Community pharmacy owners are encouraged to continue working through their Data Security and Protection Toolkit. This supports pharmacy teams to review and confirm appropriate data security arrangements and the handling of information. The Toolkit must be submitted by the end of June 2026, but there are clear benefits to completing this work in advance.
