On February 1, 2023, the Federal Trade Commission announced that it entered into a proposed order with GoodRx, a telehealth and prescription drug discount provider, for violations of the FTC’s Health Breach Notification Rule stemming from GoodRx’s unauthorized disclosures of consumers’ personal health information to third party advertisers and other companies. This is the first enforcement action taken under the FTC’s Health Breach Notification Rule, which was issued in 2009.
The FTC’s Health Breach Notification Rule defines a “breach of security” as “acquisition of [unsecured PHR identifiable health information] without the authorization of the individual.” In its 2021 Statement of the Commission on Breaches by Health Apps and Other Connected Devices, the FTC reminded entities offering services covered by the Health Breach Notification Rule that “a ‘breach’ is not limited to cybersecurity intrusions or nefarious behavior. Incidents of unauthorized access, including sharing of covered information without an individual’s authorization, triggers notification obligations under the Rule.”
The complaint against GoodRx, filed by the Department of Justice on behalf of the FTC in the U.S. District Court for the Northern District of California, alleges that GoodRx violated the Health Breach Notification Rule by failing to notify consumers, the FTC, and the media about the company’s unauthorized disclosures of consumer’s health information to third party advertising companies and advertising platforms including Facebook, Google, and Criteo, and other third parties including Branch and Twilio. The alleged disclosures were unauthorized because GoodRx promised that it would never share personal health information with advertisers or other third parties. Notably, GoodRx never provided notice of these types of disclosures to customers, or obtained their consent thereto.
In addition to allegations related to GoodRx’s advertising and data sharing practices, the FTC also alleged that GoodRx violated the FTC Act by misrepresenting its HIPAA compliance by displaying a seal on its telehealth homepage that falsely suggested it complied with the law, and by failing to implement “sufficient formal, written, or standard privacy or data sharing policies or compliance programs.”
In addition to the $1.5 million penalty, the proposed order would:
- Prohibit GoodRx from engaging in such marketing practices;
- Require GoodRx to notify affected individuals of the unauthorized disclosures;
- Require GoodRx to instruct recipients of the health information to delete it;
- Require GoodRx to maintain a comprehensive privacy program;
- Require GoodRx to undergo a privacy assessment by a third party auditor;
- Require GoodRx to report certain security incidents to the FTC within 30 days of discovery; and
- Require GoodRx to submit to compliance reporting, recordkeeping and compliance monitoring requirements.