The company responsible for one of the most high profile unauthorized disclosures of health information has agreed to settle charges brought by the Federal Trade Commission — and the agency’s chief says other companies should turn to the settlement in crafting their own privacy policies.
Pharmaceutical giant Eli Lilly, through its Prozac.com Web site, offered consumers the Medi- Messenger e-mail medication reminder service. Patients who signed up for the service received email notifications reminding them to take their medications or refill prescriptions. On June 27, 2001 a Lilly employee sent an e-mail message to all Medi-Messenger subscribers to announce the termination of the service. Unfortunately, that message contained the e-mail addresses of all recipients in the “To:” field.
That e-mail launched a petition from the American Civil Liberties Union requesting that the FTC investigate and take appropriate action against Lilly.
Following an investigation, the FTC filed a complaint alleging that Lilly’s claims of privacy and security — reflected in online statements such as “Eli Lilly and Company respects the privacy of visitors to its Web sites, and we feel it is important to maintain our guests’ privacy as they take advantage of this resource” — were deceptive.
Specifically, according to the complaint, Lilly failed to: provide training for employees on consumer privacy and information security; provide oversight of or assistance for the employee who sent the offending e-mail; and implement “appropriate checks and controls” on the process such as reviewing and pretesting computer programs with experienced personnel. Furthermore, by sending the e-mail, Lilly violated several of its own written security protocols.
“Even the unintentional release of sensitive medical information is a serious breach of consumers’ trust,” says J. Howard Beales, III, director of the FTC’s Bureau of Consumer Protection. “Companies that obtain sensitive information in exchange for a promise to keep it confidential must take appropriate steps to ensure the security of that information.”
The proposed settlement agreement announced Jan. 18 would bar Lilly from making misrepresentations about the extent to which the company protects the privacy of personal information collected from consumers. Lilly would also be required to implement a “four-stage information security program” to protect consumers’ information.
Specifically, Lilly would be required to:
The FTC voted unanimously to accept the settlement agreement which will soon be published in the Federal Register. The agreement will then be subject to public comment for 30 days, after which the FTC will decide whether to make it final.
FTC Commissioner Orson Swindle was soft in his criticism of the company and noted that the plan could serve as guidance for other organizations that handle sensitive health information: “Lilly’s responsiveness and its efforts to improve corporate privacy practices can be a model for others to follow.”