Release of information about Prozac users led to stronger privacy requirements.
DES MOINES. Attorney General Tom Miller said today that Iowa and seven other states have reached an agreement with Eli Lilly & Co. resulting from the company's unauthorized disclosure last year of the e-mail addresses of hundreds of users of the anti-depressant medication, Prozac.
"The company is required to strengthen its privacy protection, training, and monitoring," Miller said. "Consumers have a right to expect that their sensitive personal data will be protected just as carefully as a company protects its own key data such as corporate financial records. The disclosure was unintentional, but even inadvertent disclosure of such sensitive personal information is a violation of consumers' trust."
Lilly is one of the world's leading pharmaceutical companies and is the maker of Prozac and other psychotropic medications. Lilly operates web sites including www.prozac.com and www.lilly.com. From March 2000 to June 2001, Lilly offered consumers a "Medi-messenger" e-mail reminder service, which could provide consumers with reminders about taking their medications or refilling prescriptions. Web site privacy statements said Lilly had security measures in place to protect the confidentiality of any sensitive consumer information.
The data exposure occurred June 27, 2001, in a mass e-mail Lilly sent to all of its Prozac.com "Medi-messenger" subscribers. The e-mail addresses of the 669 subscribers were visible at the top of the e-mail in the "To:" line. Lilly attributes the disclosure to error by a programmer.
Under the agreement with the states, Lilly is required to maintain "an information security program for the protection of personally-identifiable information" obtained from consumers, including automated database barriers to protect consumers' personal information, administrative and technical safeguards, designation of personnel to coordinate the program, training and monitoring of staff, independent compliance reports, and other measures.
"Privacy of personal information is a very important issue, all the more in this electronic age, and all the more still for highly-sensitive personal medical information," Miller said. "Companies need to establish rigorous procedures, training and firewalls to avoid careless or malicious misuse of consumers' information, just as they protect their own valuable company information."
The states' agreement builds on obligations established by an administrative order issued by the Federal Trade Commission last January, which is in effect for twenty years. The states' agreement specifies no expiration date.
Lilly also agreed to pay $160,000 ($20,000 to each of the eight states) for consumer education, litigation and public protection.
States participating in the agreement with Eli Lilly are California, which led the effort, Connecticut, Idaho, Iowa, Massachusetts, New Jersey, New York, and Vermont.
- 30 -