Skip to main content

**Attorney Advertisement**

On February 1, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action for the first time under its Health Breach Notification Rule against the telehealth ad prescription drug discount provider GoodRx Holdings Inc. (“GoodRx”). The FTC’s Health Breach Notification Rule requires vendors of personal health records and related entities not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to notify consumers following a breach involving unsecured, personally identifiable health information.

The FTC has taken this enforcement action against GoodRx for GoodRx’s alleged failure to notify customers and others of its unauthorized disclosures of consumer’s personal health information to Facebook, Google, and other companies. The proposed order, filed by the Department of Justice (“DOJ”) on behalf of the FTC, prohibits GoodRx from sharing user health data with applicable third-parties for advertising purposes. Further, GoodRx has agreed to pay a $1.5 million civil penalty for violating the Health Breach Notification Rule. However, for the proposed order to be enforced, a federal court must approve the order for it to go into effect.

The California based GoodRx operates a digital health platform that offers prescription drug discounts, telehealth visits, and other health services, collecting personal and health information about its users. GoodRx has allegedly violated the Health Breach Notification Rule by sharing user’s sensitive personal health information for years with advertising companies and platforms, and failed to report these unauthorized disclosures in direct conflict to GoodRx’s own privacy promises and the Health Breach Notification Rule.

Specifically, GoodRx has deceptively promised users it would not share personal health information with advertisers or other third-parties, to which GoodRx has repeatedly violated its own promise by sharing sensitive personal health information with third-party advertising companies and advertising platforms like Google, Facebook, and Criteo, among others. Further, GoodRx used the personal health information that it collected to target GoodRx’s own users with personalized health and medication specific advertisements on Facebook and Instagram. GoodRx also allowed third-parties it shared data with to use collected personal health information for their own research and development or improvement to advertising. GoodRx misrepresented its compliance with HIPAA and failed to implement and maintain sufficient policies and procedures to protect the personal health information of its users.

The GoodRx enforcement action by the FTC under the Health Breach Notification Rule highlights the increased scrutiny regulators are placing on companies using and disclosing consumer health information. Because of the increased scrutiny of regulators and the emphasis on the protection of sensitive consumer health information, it is imperative that businesses implement and maintain policies and procedures that prevents the unauthorized disclosures to third-party advertisers.

At The Beckage Firm, we have a team of professionals that are highly knowledgeable of HIPAA and the Health Breach Notification Rule and can help your business implement safeguards that are compliant with federal and state regulations surrounding sensitive health information. Info@thebeckagefirm.com

Data Due Diligence Law Firm, Cryptocurrency Law Firm, Data Security Law Firm, Privacy Law Firm & Incident Response Consultant

Privacy Law Firm, Data Due Diligence Law Firm & Cryptocurrency Law Firm

Data Security Law FirmData Due Diligence Law FirmPrivacy Law Firm