Two news items from the US over the past week have highlighted the need for rigorous privacy policies when managing electronic patient sensitive data and electronic communications with patients.

The US Federal Trade Commission (FTC) ruled that pharmaceutical manufacturer Eli Lilly will not have to pay a fine after it accidentally disclosed the e-mail addresses of almost 700 Prozac users, but must beef up its information privacy policies and systems.

Eli Lilly sent regular e-mail messages to people using Prozac, who had registered for information at Lilly’s website.

The problem stemmed from the e-mail recipients addresses being revealed by hitting the wrong button on the email programme. While the mailings were supposed to be sent in a blind carbon copy (BCC) format, the company accidentally failed to hide recipients’ addresses, and sent them instead as carbon copy (CC) which revealed the addresses to all other e-mail recipients.

The company canceled the "Medi-Messenger" program in late June 2001, but in early July 2001 the American Civil Liberties Union (ACLU) asked the FTC to investigate the privacy breach.

The ACLU said that disclosing the e-mail addresses of people suffering from various forms of depression could lead to discrimination against those people.

The FTC ordered Lilly to maintain an information security programme for all information it collects from its customers for the next 20 years. It also required the firm to carry out an annual security review for the information it holds on customers.

In a separate development the Star Tribune newspaper last week reported that researchers at the University of Minnesota inadvertently told 410 kidney transplant patients the names of their deceased organ donors, a serious violation of a patient confidentiality and medical ethics.

The names of donors were accidentally revealed because of a glitch in a database that generated letters sent each year to recipients participating in a long-term study.