The United States Federal Trade Commission (FTC) filed a proposed order with the Department of Justice (DOJ) regarding GoodRx Holdings Inc. alleged violation of the Health Breach Notification Rule. This action marks the agency’s first enforcement action under the Rule and serves to put Industry on notice that it will take the sharing of users’ sensitive health information with advertisers seriously.
The Health Breach Notification Rule requires health applications and connected devices to notify both customers and the FTC when their data is disclosed or acquired without the user’s permission.
The FTC alleges that GoodRx shared user information with advertisers, such as Google, Facebook, and Criteo, in violation of its own privacy promises and without reporting the unauthorized disclosures. GoodRx also shared user data with other platforms, including Branch (a mobile linking and customer acquisition platform) and Twilio (a web communications company).
An example provided in the FTC complaint is in 2019, GoodRx compiled lists of users who bought medications for conditions such as heart disease and high blood pressure and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so Facebook could in turn identify their profiles and target them with health-related advertisements.
In addition to sharing consumer information with others, GoodRx also allegedly misrepresented its HIPAA compliance by including an image suggesting that it complied with HIPAA on its telehealth website. FTC officials found this a violation of deceptive and unfair business practices.
The FTC also notes that GoodRx did not maintain sufficient policies and procedures to protect the personal health information of its users until a consumer watchdog publicly revealed GoodRx’s actions in February 2020.
In the order, GoodRx is prohibited from sharing user health data with any third parties for advertising purposes, required to get a user’s affirmative consent before sharing their data for any reason, and limited as to how long GoodRx can retain user information. Good Rx must also implement a comprehensive privacy program – including strong safeguards to protect consumer data. GoodRx is also slated to pay a $1.5 million fine, though the company did not admit to any wrongdoing.
“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
Before the FTC order can go into effect, it must be approved by the United States District Court for the Northern District of California. While this is the first enforcement action under the Health Breach Notification Rule, the FTC has said that enforcing the Rule to protect the health privacy of Americans is a priority for the agency and other health applications should pay close attention to their obligations under the Rule.