The US Federal Trade Commission (FTC) Wednesday announced a $1.5 million civil penalty against digital healthcare company GoodRx for its failure “to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies” in violation the FTC’s Health Breach Notification Rule (HBNR) (18 CFR § 318) and 15 U.S.C. § 45(a)(1).
The fine is the FTC’s first action under its HBNR. The HBNR requires businesses and non-profits “not covered by HIPAA to notify their customers, the FTC, and, in some cases, the media, if there’s a breach of unsecured, individually identifiable health information.” The FTC’s Policy Statement indicates that makers of health apps and connected devices, such as GoodRx, must comply with the HBNR.
The FTC voted 4-0 in favor of referring its complaint and stipulated final order to the US Department of Justice (DOJ) for filing. The FTC’s complaint alleges that “GoodRx violated the FTC Act by sharing sensitive personal health information for years with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures as required by the” HBNR. Despite GoodRx’s promises to its users not to share their personal information, including personal health information, with advertisers or third parties, GoodRx repeatedly violated those promises over a four-year period and shared “extremely intimate and sensitive details about GoodRx users” related to users’ physical health, mental health, and their other personal information.
FTC Commissioner Christine S. Wilson issued a concurring statement in which she stated that “[t]
oday’s settlement marks the first enforcement matter in which the FTC has invoked the HBNR.” Additionally, Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, stated:
Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information. The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.
GoodRx released its own statement regarding its FTC settlement in which GoodRx stated
its disagreement with the FTC’s allegations and admitted no wrongdoing. GoodRx emphasized its “commitment to being at the forefront of safeguarding users’ privacy” and conveyed that it “[e]nter[ed] into the settlement to avoid the time and expense of protracted litigation.”