ACLU Knocks Eli Lilly for Divulging E-Mail Addresses

Site's prescription reminder reveals names of recipients

Pharmaceutical firm Eli Lilly and Co. inadvertently divulged the e-mail addresses of 600 patients to one another due to a computer programming error revealed last week. The incident sparked an outcry from the American Civil Liberties Union for the breach of privacy, and analysts noted it's the kind of event that will violate pending health care rules.

E-Mail Error
Eli Lilly says a programming error led to mishap.
Patients had signed up for e-mail reminders to take a prescription drug or for other health matters. About 600 patient addresses were identified in a mass e-mail.
The ACLU has asked the FTC to investigate the error for possible consumer privacy violations.

The incident occurred when the drug maker sent an electronic message to its registered Web site users to notify them that the site's "reminder" feature, which alerts them to take their medication, would be discontinued due to a redesign. Instead of each message being sent individually, the system sent one e-mail, whose "to" field revealed the complete e-mail addresses of about 600 patients, according to Eli Lilly spokeswoman Anne Griffin. Indianapolis-based Eli Lilly makes the antidepressant drug Prozac and other drugs.

The affected patients were those who had signed up for the e-mail reminder service. Griffin described the mistake as an "isolated event" and the result of a programming error.

To prevent other such incidents, Eli Lilly is preparing a code audit review and is "working on a program that would block all outbound e-mails with more than one address," said Griffin.

The company is also talking to its employees about the importance of protecting patient privacy, she said.

Analysts said the error violates the pending Health Insurance Portability and Accountability Act (HIPAA), which, among other things, stipulates that health care organizations must establish policies and procedures to protect patient privacy. But the drug maker won't face any HIPAA penalties because organizations have until April 2003 to comply with the rules.

The company's mistake came under fire from the New York-based ACLU, however. In a letter, the ACLU asked the Federal Trade Commission (FTC) to investigate Eli Lilly for consumer privacy violations.

"If this breach of duty goes unnoticed, it could raise the possibility not only that Eli Lilly will continue to injure consumers and harm the public interest, but that other companies will be encouraged to engage in similarly unfair and deceptive practices," wrote Barry Steinhardt, ACLU associate director, and Christopher Chiu, Internet policy analyst.

During the next two years, health care organizations will have to review the way they communicate health information with patients to comply with HIPAA.

Copyright © 2001 IDG Communications, Inc.

Shop Tech Products at Amazon