July 06, 2001, 9:19 AM — Pharmaceutical maker Eli Lilly & Co. blamed a programming error for a recent incident in which it accidentally disclosed the e-mail addresses of about 600 medical patients who had registered to get messages reminding them to take the antidepressant drug Prozac or to attend to other health-related matters.
Analysts said the mistake points to the need for health care organizations to assess whether the way they communicate with patients violates medical data privacy rules that were implemented earlier this year by the federal government in keeping with the Health Insurance Portability and Accountability Act (HIPAA) passed in 1996.
Indianapolis-based Eli Lilly sent an electronic message to registered users of the "reminder" service on June 27 to notify them that the feature would be discontinued due to a Web site redesign, according to company spokeswoman Anne Griffin. But all of their e-mail addresses were revealed in the message's "to" field, instead of just each individual's address, she said.
Griffin described the mistake as an "isolated event" that was the result of human error. In response, she added, Eli Lilly is preparing a code audit review and "working on a program that would block all outbound e-mails with more than one address." The company is also talking to its employees about the importance of protecting patient privacy, Griffin said.
Eli Lilly had total revenue of about US$11 billion last year. Griffin declined to comment on whether the e-mail incident violated the terms of the HIPAA regulations, which include stipulations that health care organizations must establish policies and procedures aimed at protecting privacy of patients.
Analysts said the drug maker probably wouldn't face any HIPAA penalties, because companies were given two years to comply with the privacy rules. But the mistake shows why the regulations are needed, said Mike Davis, a research director at Gartner Inc. in Stamford, Conn. Without HIPAA, he said, the health care industry would find it hard to benefit from Internet technologies, because patients wouldn't "trust the privacy and confidentiality of their information on the Web."
During the next two years, health care organizations will have to review the methods they use to communicate with patients in order to ensure that they're complying with the new rules, said John Mills, a HIPAA consultant in Fort Worth, Texas. Companies using e-mail for that purpose need to make sure that the messages contain "no identifiable patient information," and that any individual medical information is encrypted, Mills said.
Last week's incident at Eli Lilly has already come under fire from the New York-based American Civil Liberties Union (ACLU). In a letter sent to the Federal Trade Commission, the ACLU asked the FTC to investigate Eli Lilly for possible consumer privacy violations.