Pharmaceutical developer Eli Lilly and Co. has settled charges stemming from the accidental release of the private e-mail addresses of some of its customers, the Federal Trade Commission said.
Under the agreement, Eli Lilly is required to implement a security program to prevent another accidental release of consumer personal information.
From March 15, 2000, to June 22, 2001, Eli Lilly collected e-mail addresses through its prozac.com and lilly.com Web sites. The e-mail addresses are used in “Medi-messenger,” a reminder service that sends personalized e-mails to Lilly consumers to alert them when they need to take their medication or get a refill.
On June 27, 2001, an Eli Lilly employee sent an e-mail to all 669 Medi-messenger subscribers informing them that the service would be canceled. However, the e-mail addresses of all the subscribers were listed in the “To:” line of the e-mails, so everyone who received the e-mail could see the address of every other subscriber to the service.
The FTC charged Eli Lilly with violating its own privacy policy in the incident. The company was found to have failed to implement proper checks and controls to prevent such an incident from occurring and failed to provide employees with proper assistance and training.
Eli Lilly must designate personnel to oversee information security and identify potential risks. The company also must conduct an annual written review of security procedures.
