The release of the e-mail addresses occurred 27 June 2001, when an employee created a computer program to access subscribers' e-mail addresses and then sent the customers an e-mail announcing the termination of the service. However, the addresses of 669 customers were included in the "To" field of the message header and were visible to every subscriber.
At the time, Eli Lilly called the incident an isolated event.
"The agreement will protect US consumers from exposure of their sensitive and personal data collected by the company," said attorney general Eliot Spitzer.
The settlement requires Lilly to strengthen its internal standards relating to privacy protection, training and monitoring.
Lilly has agreed to institute automated checks for any of its software that accesses databases containing consumer information, Spitzer said. Lilly will also pay a fine of $160,000 (£102,000) to be divided among the eight states - New York, Massachusetts, Connecticut, Idaho, Iowa, New Jersey, Vermont and California.
In January, Lilly reached a similar agreement with the US Federal Trade Commission. However, Brad Maione, a spokesman for Spitzer, said the FTC settlement is in effect for 20 years, while the agreement with the states has no expiration date.
"Eli Lilly sincerely regrets that one of our employees made a mistake which resulted in the disclosure of individual e-mail address to all subscribers to our Medi-Messenger service. As a result, we promptly put into place additional measures to prevent it from ever happening again," Lilly said.
Lilly said that while the company was disappointed that the states felt that a one-time inadvertent human error warranted a consent decree, it was committed to implementing the agreement.