On February 1, 2023, the Federal Trade Commission (FTC) issued a press release announcing:
The [FTC] has taken enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug discount provider [and vendor of personal health records] GoodRx Holdings Inc., for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies. In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purpose, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect.
The FTC alleged that GoodRx shared sensitive personal health information with advertising companies and platforms, contrary to its privacy promises, and failed to report such unauthorized disclosures as required by the Health Breach Notification Rule. The FTC alleged GoodRx:
• Shared personal health information with Facebook, Google, Criteo, and others
• Used personal health information to target its users with advertisements
• Failed to limit third-party use of personal health information
• Misrepresented its HIPAA compliance, and
• Failed to implement policies to protect personal health information.
