Facebook Twitter

Lilly’s release of addresses a reminder to Internet users

SHARE Lilly’s release of addresses a reminder to Internet users

INDIANAPOLIS — Drug maker Eli Lilly and Co.'s inadvertent release of the e-mail addresses of 600 people on Prozac should be a reminder to Internet users to be wary of the information they give out, privacy experts say.

The Prozac patients had signed up at a Lilly Web site for an automated e-mail reminding them to take their dose of the anti-depressant.

Lilly spokesman Jeff Newton said a message sent June 27 announcing the end of the service mistakenly included the e-mail addresses of all the subscribers in the message header.

"We understand completely why these folks are concerned, and we believe we've fixed the problem," Newton said Thursday.

Newton said the release was a human programming error and the company has since added security measures.

The American Civil Liberties Union has asked the Federal Trade Commission to investigate and accused the Indianapolis-based pharmaceutical giant of violating its own Internet privacy policy.

"Whether they did it inadvertently or not, they did it," ACLU associate director Barry Steinhardt said.

By knowing an e-mail address, it is possible to trace the address holder's real name and other information, including some medical history, he said.

"E-mail address is becoming a form of identification," Steinhardt said. "Unfortunately, it's only a pseudonym on the surface."

People risk such exposure when they log on to health-related Web sites, chat rooms and message boards, said Janlori Goldman, director of the Health Privacy Project at Georgetown University. She said a study of 21 health Web sites by the Project found that most had inadequate security protections.

"Once you put health care information into electronic form, you magnify the harm," Goldman said.

FTC spokeswoman Claudia Bourne Farrell declined to comment on the complaint against Lilly but said the agency has taken legal action in the past against companies that have violated their own online policies.

It is possible that the only law violated by Lilly is one not yet in effect — a federal regulation protecting the privacy of medical records, which goes into effect in April 2003. Even that law might not apply because it does not directly affect drug makers like Lilly, but health care providers and pharmacies, Goldman said.