Regular readers know my controversial stance on privacy legislation. Just as we need criminal laws for the small minority of miscreants out there, we need privacy laws for the small minority of sites that will exploit sensitive user data for quick cash. I believe that most sites understand that they will quickly lose business if they violate their users’ privacy trust. But some will inappropriately use this data out of desperation or nonchalance.
According to a news story on our site today, Eli Lilly–the mammoth pharmaceutical company–fits into the latter category. The company notifies Prozac users when they need to refill their meds, hoping to increase sales of the drug. When it sends these notices out, it hides the To field in the e-mail so that no one sees the other users on the list. But for some reason it did not hide the To field on a recent e-mail, and instead published the e-mail addresses of hundreds of Prozac users.
Oops. Which is essentially what the company said when it found out about the error. The case demonstrates how easy it is to unwittingly violate your own privacy policies. Companies that understand this principle hire chief privacy officers (CPOs) to make sure that every department in the company is well versed on what could happen with this data. This minimizes the chances of private-data leaks. But, unless there are laws with enforcement guidelines and tough penalties associated with privacy infringement, companies like Lily will underestimate the risks and continue to think up witless promotions that risk privacy infringement.
Fortunately, the President, some members of Congress, and even some high-tech lobbying groups recognize the need for legislation of particularly sensitive data, such as financial and medical reports. I have written several columns arguing this issue before, including this one. There are several opponents of my arguments in Congress who believe that medical confidentiality only extends to doctor/patient privilege and not to HMO/patient privilege, pharmaceutical conglomerate/patient privilege, or even insurance conglomerate/patient privilege. Which is to say, some very powerful lobbies want to enable their constituents to use patient information however they please for the sake of profits. This includes selling the information for targeted advertising.
The other day, I was at a social function when the topic of targeted medical advertising came up. None of these people were techies–just average folks who spoke matter-of-factly about their experiences. Everyone in the conversation had had a similar experience: They each recently started receiving special offers for some new drug that would help them with their medical condition. All of the marketing accurately reflected their medical problems; no one received marketing materials for medical problems they don’t have. And none of them knew how the pharmaceutical companies got hold of the information about their problems. Supposing this group is a representative sample, the prospects of the use (and misuse) of this information are scary. Hopefully this Lily case will improve the political climate for stricter medical privacy provisions, which are key aspects of the Democrats’ Patients’ Bill of Rights agenda.
James Mathewson is editorial director of ComputerUser magazine and ComputerUser.com.