Pharmaceutical company Eli Lilly has blamed a programming error for
an incident last week in which it accidentally disclosed the e-mail
addresses of about 600 medical patients. The patients had all
registered for messages reminding them to take the antidepressant
drug Prozac or to attend to other health-related matters.
Analysts said the mistake points to the need for healthcare
organisations to assess whether the way they communicate with
patients violates medical data privacy rules. The federal
government implemented new privacy rules earlier this year in
keeping with the 1996 Health Insurance Portability and
Accountability Act (HIPAA).
Eli Lilly sent an electronic message to registered users of the
"reminder" service on 27 June to notify them that the feature would
be discontinued due to a Web site redesign, according to company
spokeswoman Anne Griffin. But all of their e-mail addresses were
revealed in the message's "to" field, instead of just each
individual's address, she said.
Griffin described the mistake as an "isolated event" that was the
result of human error. In response, she added, Eli Lilly is
preparing a code audit review and "working on a program that would
block all outbound e-mails with more than one address." The company
is also talking to its employees about the importance of protecting
patient privacy, Griffin said.
Eli Lilly had total revenue of about $11bn (£7.86bn) last year.
Griffin declined to comment on whether the e-mail incident violated
the terms of the HIPAA regulations, which include stipulations that
healthcare organisations must establish policies and procedures
aimed at protecting privacy of patients.
Analysts said the drug manufacturer was unlikely to face any HIPAA
penalties, because companies were given two years to comply with
the privacy rules. But the mistake shows why the regulations are
needed, said Mike Davis, a research director at Gartner. Without
HIPAA, he said, the healthcare industry would find it hard to
benefit from Internet technologies, because patients wouldn't
"trust the privacy and confidentiality of their information on the
Web".
During the next two years, health care organisations will have to
review the methods they use to communicate with patients in order
to ensure that they're complying with the new rules, said John
Mills, a HIPAA consultant in Fort Worth, Texas. Companies using
e-mail for that purpose need to make sure that the messages contain
"no identifiable patient information," and that any individual
medical information is encrypted, Mills said.
Last week's incident at Eli Lilly has already come under fire from
the American Civil Liberties Union (ACLU). In a letter sent to the
Federal Trade Commission, the ACLU asked the FTC to investigate Eli
Lilly for possible consumer privacy violations.
"If this breach of duty goes unnoticed, it could raise the
possibility not only that Eli Lilly will continue to injure
consumers and harm the public interest, but that other companies
will be encouraged to engage in similarly unfair and deceptive
practices," wrote Barry Steinhardt, the ACLU's associate director,
and Christopher Chiu, an Internet policy analyst for the group.