Lilly discloses e-mail addresses of Prozac patients, blames programming error
Thursday, July 5th 2001, 12:00 am
By: News On 6
INDIANAPOLIS (AP) _ New fears about the online security of private information were stirred Thursday when Eli Lilly and Co. said it had inadvertently released over the Internet the e-mail addresses of more than 600 people on Prozac.
``It just seems like such gross negligence that they let this happen, and then blame it on a programming error and apologize,'' said Evan Hendricks, who publishes the Privacy Times newsletter in Washington.
Hundreds of patients had signed up at a Lilly Web site for an automated e-mail reminding them to take their dose of the antidepressant. Lilly spokesman Jeff Newton said a message sent June 27 announcing the end of the service mistakenly included the e-mail addresses of all the subscribers in the message header.
``It's really just a human programming error,'' Newton said.
Experts said exposing the patients' e-mail addresses made it possible to trace their real names and other information about them, including some medical history.
``Once you put health care information into electronic form, you magnify the harm,'' said Janlori Goldman, director of the Health Privacy Project at Georgetown University.
``Whether they did it inadvertently or not, they did it,'' ACLU associate director Barry Steinhardt said. ``The FTC isn't a privacy cop, it's an honesty cop.''
FTC spokeswoman Claudia Bourne Farrell declined to comment on the Lilly incident but noted that the agency has taken legal action in the past against companies that have violated their own online policies.
The FTC and other authorities stepped in when Toysmart.com went out of business last year and put its customer records up for sale.
Two years ago, RealNetworks of Seattle apologized amid complaints that its software allowing customers to listen to music on computers secretly collected details about people's listening preferences.
Experts said the Lilly incident shows the need for more careful handling of sensitive information only.
Some experts said it is possible that the only law that was violated by Lilly is one not yet in effect _ a federal regulation protecting the privacy of medical records that goes into effect in April 2003.
Even that law might not apply because it does not directly affect drug makers like Lilly, but health care providers and pharmacies, Goldman said.
With health-related Web sites, chat rooms and message boards proliferating on the Internet, more protection is needed, she said.
``We can get tremendous benefits from using the Internet,'' Goldman said. ``But we shouldn't do it all at the risk of privacy.''