Bad GoodRx: FTC’s First-of-its Kind Enforcement Action



On February 1, 2023, the Federal Trade Commission (FTC) issued a press release announcing:

The [FTC] has taken enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug discount provider [and vendor of personal health records] GoodRx Holdings Inc., for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies. In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purpose, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect.

The FTC alleged that GoodRx shared sensitive personal health information with advertising companies and platforms, contrary to its privacy promises, and failed to report such unauthorized disclosures as required by the Health Breach Notification Rule. The FTC alleged GoodRx:

• Shared personal health information with Facebook, Google, Criteo, and others

• Used personal health information to target its users with advertisements

• Failed to limit third-party use of personal health information

• Misrepresented its HIPAA compliance, and

• Failed to implement policies to protect personal health information.

In September 2021, the FTC issued a policy statement specifically affirming that health apps and connected devices that collect the health data of consumers must comply with the Health Breach Notification Rule, which requires, among other things, that those subject to the rule notify consumers and others when consumers’ health information is breached.

It is also interesting to note that this action follows the recently-published guidance from the Department of Health & Human Services, Office for Civil Rights on the use of online tracking technologies by HIPAA-covered entities and business associates. See our prior Health Law Update article on this topic here.

If you need assistance with your HIPAA compliance program, an OCR investigation, or a data breach incident, please contact:
Lani M. Dornfeld, CHPC | 973.403.3136 |

*This is intended to provide general information, not legal advice. Please contact the authors if you need specific advice.

Related Practices:   Healthcare Law

Related Attorney:   Lani M. Dornfeld