ACLU Criticizes Government Settlement of Prozac Privacy Breach, Saying Victims Deserve Compensation

FOR IMMEDIATE RELEASE

NEW YORK–The American Civil Liberties Union today criticized the settlement of a case in which drug giant Eli Lilly admitted that it mistakenly gave out confidential information concerning nearly 700 patients who had signed up for a Prozac medication reminder service, saying that the company should be fined and the victims should receive financial compensation.

The ACLU had brought the privacy breach to the attention of the Federal Trade Commission last July when it learned from one of the patients that Lilly had sent out an e-mail containing the Internet addresses of all 669 patients who had signed up for the service. The FTC then launched an investigation, resulting in today’s settlement.

“The requirements of the settlement merely codify the privacy protections the company should have been taking to begin with,” said Barry Steinhardt, Associate Director of the ACLU. “By not leveling a fine and ordering damages to be paid to the victims of Eli Lilly’s serious privacy breach, the trade commission has missed an opportunity to send a message to online medical providers that there is a price to pay for being careless with highly sensitive information.”

“This is especially important because it is not clear whether federal medical privacy regulations cover online providers of medical information,” Steinhardt explained. “Thus, those who seek the anonymity of the Internet to access sensitive medical information may be the most vulnerable to privacy breaches.”

The case is the first time the FTC has prosecuted an unintentional violation of a website’s privacy policies. The settlement requires the Indianapolis-based company to create better safeguards for sensitive information. The security program must be reviewed every year and the company will be fined for any more violations.

Steinhardt said that the ACLU will be reviewing the settlement agreement during the 30-day comment period and that it plans to ask the Commission to order Eli Lilly to pay a fine and damages to the victims of their privacy violation.

Through June 27, 2001, Eli Lilly and Company provided a daily E-mail service, known as Medi-Messenger, that reminded Prozac users to take their anti-depressant medication. These messages were sent without identifying the recipients. However, when Eli Lilly discontinued the service it sent an E-mail to its customers that included a long, publicly visible list of recipients. The ACLU charged that Eli Lilly’s distribution of the E-mail violated the company’s posted privacy policy and constituted an unfair trade practice in violation of Federal laws.

The FTC statement and settlement is online at http://www.ftc.gov/opa/2002/01/elililly.htm