States, Eli Lilly settle privacy case

Computerworld - Eight states have settled a complaint against pharmaceutical company Eli Lilly and Co., stemming from the release of e-mail addresses of nearly 700 subscribers to its prozac.com e-mail alert, New York Attorney General Eliot Spitzer said today.
The release of the e-mail addresses occurred June 27, 2001, when an employee created a computer program to access subscribers' e-mail addresses and then sent the customers an e-mail announcing the termination of the service (see story). However, the addresses of 669 customers were included in the "To" field of the message header and were visible to every subscriber.
At the time, Eli Lilly called the incident an isolated event.
"The agreement will protect U.S. consumers from exposure of their sensitive and personal data collected by the company," Spitzer said in a statement.
The settlement requires Lilly to strengthen its internal standards relating to privacy protection, training and monitoring.
Lilly has agreed to institute automated checks for any of its software that accesses databases containing consumer information, Spitzer said. Lilly will also pay a fine of $160,000 to be divided among the eight states -- New York, Massachusetts, Connecticut, Idaho, Iowa, New Jersey, Vermont and California.
In January, Lilly reached a similar agreement with the U.S. Federal Trade Commission (see story). However, Brad Maione, a spokesman for Spitzer, said the FTC settlement is in effect for 20 years, while the agreement with the states has no expiration date.
"Eli Lilly sincerely regrets that one of our employees made a mistake which resulted in the disclosure of individual e-mail address to all subscribers to our Medi-Messenger service. As a result, we promptly put into place additional measures to prevent it from ever happening again," Indianapolis-based Lilly said in a statement provided to Computerworld.
Lilly said that while the company was disappointed that the states felt that a one-time, inadvertent human error warranted a consent decree, it was committed to implementing the agreement.

Read more about privacy in Computerworld's Privacy Knowledge Center.