FTC Announces Proposed Settlement with GoodRx for Health Breach Notification Rule Violations | Practical Law

FTC Announces Proposed Settlement with GoodRx for Health Breach Notification Rule Violations | Practical Law

The FTC has announced a first-of-its-kind proposed settlement with GoodRx Holdings Inc. over allegations they violated the Health Breach Notification Rule by failing to report unauthorized disclosures of consumers' personal health information.

FTC Announces Proposed Settlement with GoodRx for Health Breach Notification Rule Violations

by Practical Law Data Privacy & Cybersecurity
Published on 01 Feb 2023USA (National/Federal)
The FTC has announced a first-of-its-kind proposed settlement with GoodRx Holdings Inc. over allegations they violated the Health Breach Notification Rule by failing to report unauthorized disclosures of consumers' personal health information.
On February 1, 2023, the FTC issued a press release announcing a proposed settlement with GoodRx Holdings Inc. over allegations that the company failed to notify consumers and others of its unauthorized disclosures of consumers' personal health information, in violation of the Health Breach Notification Rule (16 C.F.R. §§ 318.1 to 318.9). The proposed settlement represents the FTC's first enforcement action under the Health Breach Notification Rule. GoodRx is a digital health platform that offers prescription drug discounts, telehealth visits, and other health services.
According to the complaint filed by the DOJ on the FTC's behalf, GoodRx violated the Health Breach Notification Rule by:
  • Sharing personal health information with Facebook, Google, and other third-parties since at least 2017 despite promising users it would never share that information with third parties.
  • Using personal health information to target its users with advertisements.
  • Failing to limit third-party use of personal health information.
  • Publicly misrepresenting its HIPAA compliance on its website.
  • Failing to implement policies to protect personal health information.
Under the FTC's proposed order, GoodRx must pay a $1.5 million penalty and is prohibited from engaging in the deceptive practices outlined in the complaint. In addition to complying with the Health Breach Notification Rule, GoodRx must:
  • Refrain from sharing user health information for advertising purposes.
  • Obtain user consent before disclosing user health information with third parties for other purposes.
  • Direct third parties to delete consumer health data that was shared with them and inform consumers about the breaches and the FTC's enforcement action against the company.
  • Limit retention of personal and health information data, publicly post a retention schedule, detail the information it collects, and why that collection is necessary.
  • Implement a comprehensive privacy program.
The proposed settlement follows the FTC's 2021 policy statement clarifying the scope of the Health Breach Notification Rule to include vendors of personal health records and their service providers, and noting the FTC's intention to bring enforcement actions against such entities.