On February 1, 2023, the Department of Justice filed a proposed order on behalf of the Federal Trade Commission prohibiting GoodRx from sharing the health information of its users with third parties for advertising purposes, following an investigation by the FTC. The FTC alleged that GoodRx – doing business as GoodRx Gold, GoodRx Care, and Hey Doctor (GoodRx) – violated the FTC Act by engaging in unfair and deceptive trade practices by sharing the data of millions of users without their consent and knowledge and violated the FTC Health Breach Notification Rule by failing to notify users about the privacy violation.
The information shared with third parties included personally identifying information, information about sensitive health conditions, and medications. The FTC alleged that the information was shared despite GoodRx providing repeated assurances to its users that the company would ensure sensitive health information was protected and would not be shared with third parties. The FTC also took issue with GoodRx displaying a seal on its website confirming the company was “HIPAA Secure: Patient Data Protected”, which indicated that GoodRx was a covered entity under HIPAA when it was not and that it was compliant with the HIPAA Rules when it wasn’t.
“Consumers have a right to know whether and how their personal health information will be used, and to know when it has been disclosed to third-parties,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “The Department is committed to enforcing protections against deceptive practices and unauthorized disclosure of personal health information.”
The data was shared with third parties via third-party tracking pixels on its website and plug-and-play software development kits provided by companies such as Google, Facebook, Criteo, Branch, and Twilio. The data collected via those tools were shared with the providers of those software kits and pixels and were potentially used for advertising purposes. GoodRx did not agree with the findings of the FTC, and told The HIPAA Journal there was no wrongdoing and the decision was taken to settle the allegations to avoid the time and expense of protracted litigation.
The settlement was agreed upon by all parties and requires GoodRx to pay a $1.5 million financial penalty and adopt a corrective action plan that will prevent future unauthorized disclosures of sensitive health data and ensure future compliance with the FTC Act and the Health Breach Notification Rule. GoodRx has also agreed not to disclose the sensitive health data of its users without first obtaining consent to do so and will notify all affected individuals about the disclosures. The court recently approved the proposed order and the settlement will now take effect.
“Companies that misuse their customers’ sensitive health information by sharing that information without their customers’ permission or knowledge will be held accountable,” said U.S. Attorney Stephanie M. Hinds for the Northern District of California. “We will continue to work with our partners at the FTC to protect against the unauthorized disclosure of such sensitive, private information.”
The post Court Approves FTC’s $1.5 Million Settlement with GoodRx to Resolve FTC Act and Health Breach Notification Rule Violations appeared first on HIPAA Journal.