Written By Attorney Mysty Blagg

GoodRx agrees to pay $1.5 million to settle allegations that it breached the Federal Trade Commission’s (“FTC”) Health Breach Notification Rule (“HBNR”).

 GoodRx issued a statement regarding the settlement indicating that the company does not agree with the FTC’s allegations and admits to no wrongdoing.  GoodRx operates a digital health solution that offers telehealth visits and prescription drug discounts among other health services. 

The HBNR requires vendors of personal health records and related entities to notify consumers and the FTC following a breach of the unsecured personal health record and identifiable health information. See 16 CFR Part 318. In September 2021, the FTC issued a policy statement affirming that health apps that collect or use consumers’ health information must comply with the HBNR. The HBNR ensures that entities not subject to HIPAA requirements are accountable when sensitive health information breaches.

The FTC in its complaint, alleged that GoodRx shared personal health information with advertising companies and platforms, contrary to its privacy promises to consumers, and did not report the unauthorized disclosures as required by the HBNR. Further, the FTC alleged that these practices went on for years and were not reported as required under the HBNR. Specifically, the FTC alleged that GoodRx:

  • Shared personal health information that included prescription information and personal health conditions with third party companies and platforms such as Facebook, Google, and Criteo;  
  • Monetized its data and used it for targeted advertising; 
  • Misrepresented its HIPAA compliance by displaying a seal at the bottom of its telehealth homepage; and 
  • Failed to implement sufficient policies and procedures to protect its user’s personal health information. 

In addition to the $1.5 million civil penalty issued to GoodRx,  the Department of Justice also filed a proposed order that, if approved by the court, would require that GoodRx:

  • No longer share health data for advertising purposes;
  • Obtain user consent before disclosing the user’s health information to third parties;
  • Direct third parties to delete consumer health data that was shared with them and inform consumers of both the breach  and the FTC’s enforcement action against the company;
  • Limit data retention according to a data retention schedule; and
  • Implement a comprehensive privacy program. 

In response to the GoodRx enforcement action, the Director of the FTC’s Bureau of Consumer Protection stated: “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.” Digital Health developers and companies should listen to this warning.  When developing a digital health solution, it is important to have a data strategy that complies with regulatory requirements.