Eli Lilly Settles FTC Security Breach Charges

The Federal Trade Commission has settled its case Friday afternoon with Eli Lilly & Co., after the Indiana-based drug giant that inadvertently disclosed the personal information of 669 Prozac users to the public.

Regulators ordered the owners of the Prozac.com Web site to conduct yearly security checks of their operations and submit
yearly reviews to the FTC to ensure compliance.

On June 27, 2001, an employee at Lilly sent out a message to members of the
Medi-messenger notification service informing them of the service’s
termination. The message sent to each member contained the email addresses
of the other 668 members of the list in the message’s To: field.

The American Civil Liberties Union soon after filed a letter of protest to
Timothy Muris, FTC chairman, saying failure to set an example for this
security offense could send a message to entire online medical community.

These events set a dangerous precedent. Eli Lilly had a duty of care and
a duty under the Federal Trade laws to protect the confidentiality of the
medical consumers who used it product. If this breach of duty goes
unnoticed, it would raise the possibility not only that Eli Lilly will
continue to injure consumers and harm the public interest, but that other
companies will be encouraged to engage in similarly unfair and deceptive
practices, and the privacy interests of consumers engaging in online
commerce and other Internet activities will be significantly
diminished.”
— ACLU letter, dated July 3, 2001.

While company officials were quick to point out it was an unintentional
mistake after the ensuing flap, J. Howard Beales III, director of the FTC’s
bureau of consumer protection, said it doesn’t lessen the severity of the
breach of confidence.

“Even the unintentional release of sensitive medical information is a
serious breach of consumers’ trust,” he said. “Companies that obtain
sensitive information in exchange for a promise to keep it confidential
must take appropriate steps to ensure the security of that information.”

The FTC has mandated Lilly must take corrective steps going forward:

  • Only certain employees will have access to coordinate and oversee the
    program.
  • Audit their entire organization’s Web operations to find out if there
    are other possible security risk, which includes lack of adequate training.
  • Make any necessary adjustments to their operations in light of the
    report’s findings.
  • The company has 90 days to comply with the order and submit a written
    review by a senior official, a review that will be conducted year.

Debbi Davis, a Lilly spokesperson, said her company will comply fully with
the FTC’s order and has already taken steps to prevent future occurrences.

“We have apologized many times for this regrettable incident and, as a
result, we promptly put additional measures in place to prevent it from
ever happening again,” she said.

Worried about security leaks at other online medical Web sites, the ACLU
was disappointed in the FTC’s ruling, saying it sets a dangerous precedence.

Barry Steinhardt, ACLU associate director, said the FTC has missed their
opportunity to send a message to online medical providers by leveling fines
and making Lilly pay restitution to those involved.

“This is especially important because it is not clear whether federal
medical privacy regulations cover online providers of medical information,”
he said. “Thus, those who seek the anonymity of the Internet to access
sensitive medical information may be the most vulnerable to privacy breaches.”

The ACLU plans to review the settlement and reiterate to the FTC their
insistence on fines and damages paid to the individuals involved.

It’s not likely to happen, and a statement sent with the FTC ruling by
commissioner Orson Swindle shows the federal agency is ready to forgive, if
not forget.

“I appreciate the company’s leadership in cooperating with us to improve
its security measures, and I believe the firm will fully carry out its
commitments under the proposed order. Lilly’s responsiveness and its
efforts to improve corporate privacy practices can be a model for others to
follow,” Swindle said in the statement.

News Around the Web