For Immediate Release:

July 25, 2002

For Information Contact:

Genene W. Morris 973-504-6327

NEWARK - Prozac manufacturer Eli Lilly and Company has entered into an agreement with New Jersey and seven other states to settle concerns that the company revealed personally identifiable information about certain customers despite its own assurances that the company would maintain customer confidentiality, Attorney General David Samson and Consumer Affairs Director Reni Erdos said today.

Without admitting any wrongdoing, Eli Lilly will implement procedures to protect sensitive and personal data collected from its customers and will pay the states $160,000.

The multi-state agreement stems from an e-mail the pharmaceutical company sent last year to subscribers of its prozac.com alert service, in which the e-mail addresses of all 669 subscribers were revealed to each recipient of the message. The June 27, 2001, message informed the "Medi-messenger" subscribers that Eli Lilly was terminating the service. The Medi-messenger service enabled consumers to specify the content of e-mails, including reminders about their medications, and to schedule how often the message would be sent to their e-mail addresses.

The states assert that Eli Lilly violated its privacy policy by sending the one e-mail to all 669 customers, revealing the e-mail addresses of all recipients within the "to:"line of the message, instead of sending 669 individual e-mails to each subscriber. Eli Lilly attributed the breach of confidentiality to a programming error.

"Consumers who provide personally identifiable information to a Web site have a right to expect that their information will be kept private and secure from disclosure - particularly if the information includes data relating to one's health and the Web site assures them that the information will be protected," Attorney General Samson said.

"The agreement that is now in place is designed to ensure that the company implements and adheres to procedures that will keep the personal information of Eli Lilly customers confidential," Erdos said.

Under the agreement, Eli Lilly will institute supervisory procedures to achieve compliance with the agreement and not misrepresent the extent to which it will maintain and protect its customer's confidentiality.

Eli Lilly will also maintain an information security program for the protection of personally identifiable information obtained from or about U.S. consumers. The company will also document its means of implementing the program and conduct a written review that evaluates the program's effectiveness and recommends changes to the program. The review must be completed within 90 days of the agreement and the company must provide the states with a copy of the review.

Other states participating in the agreement include: California, Connecticut, Idaho, Iowa, Massachusetts, New York, and Vermont.

Deputy Attorney General Carol G. Jacobson of the Division of Law handled this matter for New Jersey.