The FTC said Eli Lilly violated its online privacy policy during the incident. The company has agreed to beef up its existing security and to create an internal program to prevent future privacy violations.
The company does not face fines because the incident was unintentional and not a clear case of fraud, J. Howard Beales, III, director of the FTC's bureau of consumer protection, said during a press conference.
The privacy incident occurred last June when an employee accidentally sent an e-mail to 669 people with all of their e-mail addresses included in the "to:" line. The message announced the discontinuation of the company's Medi-messenger service, which allowed people taking the anti-depressant medication Prozac to create automated e-mail reminders.
The FTC alleged that Eli Lilly failed to implement safeguards to prevent these types of privacy and security breaches. The agency also said the company did not provide adequate employee training to prevent these situations from happening.
"They made a promise which we understood to mean that Lilly employees measure and take steps to protect privacy," Beales said. "They didn't take the measures and steps."
