For the first time since it became law on Aug. 25, 2009, the Federal Trade Commission (“FTC”) has taken enforcement action under 16 C.F.R. § 318, also known as the Health Breach Notification Rule, with a $1.5 million civil penalty against the healthcare company GoodRx Holdings Inc. (“GoodRx”) for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information with third-party advertising companies such as Facebook, Google, and Criteo.
GoodRx is a focused digital healthcare platform based in Santa Monica, California that advertises, distributes, and sells health-related products and services directly to consumers. In particular, GoodRx provides prescription medication discount products branded as “GoodRx” and telehealth services through its subsidiary, HeyDoctor, LLC (“HeyDoctor”).
The personal health information shared by GoodRx without notice or consent included users’ prescription medications and personal health conditions, personal contact information, and unique advertising and persistent identifiers. GoodRx permitted third-party advertisers to use and profit from their customers’ personal health information.
GoodRx had promised its users that it would share their personal information with a limited amount of third parties for limited purposes, that it would restrict third parties’ use of the information, and it would never share personal health information with advertisers or other third parties. Over a period of four years, GoodRx repeatedly disclosed users’ sensitive personal health information about chronic physical or mental health conditions, medical treatments and treatment choices, life expectancy, disability status, information relating to parental status, substance addiction, sexual and reproductive health, sexual orientation, and other highly sensitive and personal information without their consent. Not only did GoodRx share its user’s information, but it exploited the information shared with Facebook to target GoodRx users with advertisements on Facebook and Instagram.
The Court determined that GoodRx violated the FTC Act and the Health Breach Notification Rule. Specifically, the Court found that GoodRx violated Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), which prohibits “unfair or deceptive acts or practices in or affecting commerce.” Under the Health Breach Notification Rule, following the discovery of a breach of security of unsecured PHR identifiable information, vendors shall notify each individual whose unsecured PHR was acquired.
The following counts were determined by the Court to violate the FTC Act and the Health Breach Notification Rule: (1) disclosure of health information to third parties, (2) disclosure of personal information to third parties, (3) failure to limit third-party use of health information, (4) misrepresenting compliance with the digital advertising alliance principles, (5) HIPAA compliance, (6) failure to implement measures to prevent the unauthorized disclosure of health information, (7) failure to provide notice and obtain consent before use and disclosure of health information for advertising, and (8) violation of the Health Breach Notification Rule.
The FTC’s decision against GoodRx should come as a warning to healthcare companies that utilize technology to collect and use consumer information about their users. Healthcare companies that collect potentially sensitive health data must examine whether their data practices align with what they are telling consumers.