Eight states have settled a complaint against pharmaceutical
company Eli Lilly, regarding the release of e-mail addresses of
nearly 700 subscribers to its prozac.com e-mail alert.
The release of the e-mail addresses occurred 27 June 2001, when an
employee created a computer program to access subscribers' e-mail
addresses and then sent the customers an e-mail announcing the
termination of the service. However, the addresses of 669 customers
were included in the "To" field of the message header and were
visible to every subscriber.
At the time, Eli Lilly called the incident an isolated event.
"The agreement will protect US consumers from exposure of their
sensitive and personal data collected by the company," said
attorney general Eliot Spitzer.
The settlement requires Lilly to strengthen its internal standards
relating to privacy protection, training and monitoring.
Lilly has agreed to institute automated checks for any of its
software that accesses databases containing consumer information,
Spitzer said. Lilly will also pay a fine of $160,000 (£102,000) to
be divided among the eight states - New York, Massachusetts,
Connecticut, Idaho, Iowa, New Jersey, Vermont and California.
In January, Lilly reached a similar agreement with the US Federal
Trade Commission. However, Brad Maione, a spokesman for Spitzer,
said the FTC settlement is in effect for 20 years, while the
agreement with the states has no expiration date.
"Eli Lilly sincerely regrets that one of our employees made a
mistake which resulted in the disclosure of individual e-mail
address to all subscribers to our Medi-Messenger service. As a
result, we promptly put into place additional measures to prevent
it from ever happening again," Lilly said.
Lilly said that while the company was disappointed that the states
felt that a one-time inadvertent human error warranted a consent
decree, it was committed to implementing the agreement.