RealTime IT News

Eli Lilly Settles FTC Security Breach Charges

The Federal Trade Commission has settled its case Friday afternoon with Eli Lilly & Co., after the Indiana-based drug giant that inadvertently disclosed the personal information of 669 Prozac users to the public.

Regulators ordered the owners of the Prozac.com Web site to conduct yearly security checks of their operations and submit yearly reviews to the FTC to ensure compliance.

On June 27, 2001, an employee at Lilly sent out a message to members of the Medi-messenger notification service informing them of the service's termination. The message sent to each member contained the email addresses of the other 668 members of the list in the message's To: field.

The American Civil Liberties Union soon after filed a letter of protest to Timothy Muris, FTC chairman, saying failure to set an example for this security offense could send a message to entire online medical community.

These events set a dangerous precedent. Eli Lilly had a duty of care and a duty under the Federal Trade laws to protect the confidentiality of the medical consumers who used it product. If this breach of duty goes unnoticed, it would raise the possibility not only that Eli Lilly will continue to injure consumers and harm the public interest, but that other companies will be encouraged to engage in similarly unfair and deceptive practices, and the privacy interests of consumers engaging in online commerce and other Internet activities will be significantly diminished." -- ACLU letter, dated July 3, 2001.

While company officials were quick to point out it was an unintentional mistake after the ensuing flap, J. Howard Beales III, director of the FTC's bureau of consumer protection, said it doesn't lessen the severity of the breach of confidence.

"Even the unintentional release of sensitive medical information is a serious breach of consumers' trust," he said. "Companies that obtain sensitive information in exchange for a promise to keep it confidential must take appropriate steps to ensure the security of that information."

The FTC has mandated Lilly must take corrective steps going forward:

  • Only certain employees will have access to coordinate and oversee the program.
  • Audit their entire organization's Web operations to find out if there are other possible security risk, which includes lack of adequate training.
  • Make any necessary adjustments to their operations in light of the report's findings.
  • The company has 90 days to comply with the order and submit a written review by a senior official, a review that will be conducted year.

Debbi Davis, a Lilly spokesperson, said her company will comply fully with the FTC's order and has already taken steps to prevent future occurrences.

"We have apologized many times for this regrettable incident and, as a result, we promptly put additional measures in place to prevent it from ever happening again," she said.

Worried about security leaks at other online medical Web sites, the ACLU was disappointed in the FTC's ruling, saying it sets a dangerous precedence.

Barry Steinhardt, ACLU associate director, said the FTC has missed their opportunity to send a message to online medical providers by leveling fines and making Lilly pay restitution to those involved.

"This is especially important because it is not clear whether federal medical privacy regulations cover online providers of medical information," he said. "Thus, those who seek the anonymity of the Internet to access sensitive medical information may be the most vulnerable to privacy breaches."

The ACLU plans to review the settlement and reiterate to the FTC their insistence on fines and damages paid to the individuals involved.

It's not likely to happen, and a statement sent with the FTC ruling by commissioner Orson Swindle shows the federal agency is ready to forgive, if not forget.

"I appreciate the company's leadership in cooperating with us to improve its security measures, and I believe the firm will fully carry out its commitments under the proposed order. Lilly's responsiveness and its efforts to improve corporate privacy practices can be a model for others to follow," Swindle said in the statement.