Governance & Risk Management , Privacy , Standards, Regulations & Compliance
FTC Hits Firm With $1.5M Fine in Health Data-Sharing CaseFirst Enforcement Action Under 14-Year-Old FTC Health Data Breach Notification Rule
The Federal Trade Commission has for the first time enforced its almost 14-year-old health data breach notification rule: The commission on Wednesday smacked GoodRx, a telehealth and discount prescription drug provider, with a $1.5 million civil penalty for failing to disclose to consumers that it shared their data with advertisers, including Facebook and Google.
The FTC says GoodRx for years shared sensitive personal health information with third-party companies contrary to its privacy promises and also failed to report the unauthorized disclosures as required by the FTC's Health Breach Notification Rule. The agency enlisted the Department of Justice to file a complaint and a proposed order in the U.S. District Court for the Northern District of California. The order is subject to approval by a federal judge.
The FTC in 2021 expanded its interpretation of the breach notification rule to include incidents of unauthorized access, not just data breaches that were the result of cybersecurity incidents. It also said personal health records covered by the notification rule include apps capable of drawing information from multiple sources.
The revamped interpretation drew opposition from the two Republicans on the agency commission, who accused their Democratic counterparts of stretching the agency's authority. Tech industry representatives had similar reactions, characterizing the agency's new policy statement as boot-strapping a notification law into a privacy regulation. Congress enacted the health data breach notification statute during the Obama administration in expectation of an explosion in consumer-grade health records that failed to materialize despite that era's short-lived optimism over health data portability and hopes for a new, data-driven approach to healthcare.
FTC officials have privately said industry acceptance of the new policy statement on the breach notification law would be key to cementing its legitimacy, making GoodRx's acquiescence important not just for users whose privacy was allegedly violated but potentially for future enforcement actions.
“The FTC is serving notice that it will use all of its legal authority to protect American consumers' sensitive data from misuse and illegal exploitation," said Samuel Levine, director of the FTC's Bureau of Consumer Protection.
GoodRx said it disagrees with the agency's assertion that it violated the health data breach notification law, calling the FTC's allegations "a novel application" of the statute. Settling the complaint involves no admission of wrongdoing and the company says it is proceeding merely "to avoid the time and expense of protracted litigation."
The complaint alleges a pattern of disregard for privacy, including through the sharing of users' prescription and medical conditions information with Facebook, Google, Criteo, Branch and Twilio. More than 55 million consumers have visited or used GoodRx's website or mobile app since January 2017, the complaint states.
GoodRx allegedly used its consumers' personal health information that it shared with Facebook to also provide its own users with personalized health and medication-specific advertisements on Facebook and Instagram.
It wasn't until February 2020 that GoodRX put into place policies or procedures to protect its personal health information. But even then, "it failed to notify users that their health information had been disclosed without their authorization," the complaint states.
Privacy watchdogs including Consumer Reports in early 2020 investigated the company's privacy practices, inquiries that led GoodRX into a pledge to stop sharing health data with Facebook and to allow users to delete their data. The company reported $745.4 million worth of revenue in 2021 but ended the year with $25.3 million in losses.
In addition to the civil monetary penalty, the proposed federal court order against GoodRx seeks a permanent injunction against such actions. It also requires GoodRx to notify any third party with which it shared personal health information and demand written confirmation that the party deleted it.
Lucia Savage, former privacy officer at the Department of Health and Human Services' Office of the National Coordinator for Health IT, told Information Security Media Group that the FTC has been clearly signaling for some time that it intended to take robust action related to health information in the consumer space.
"I am not surprised by its advent or its content," says Savage, now chief privacy and regulatory officer at Omada Health.
Savage says the FTC action "is a stipulated order, which means GoodRx and the FTC are presenting it together to the judge as the best path forward. GoodRx is not fighting the FTC here."
Pam Dixon, executive director of the World Privacy Forum, is also pleased with the FTC's action.
"In short, this was an exciting day for us," she says. "The precedent regarding HIPAA misrepresentation cannot be overstated in its importance," she says, regarding the FTC citing GoodRx for falsely telling consumers through a seal that its telehealth services homepage was HIPAA-compliant.
"This is a very big deal, and it has been a serious problem for some time now," she says. "The proposed order is excellent. They did a very good job with this, covering a variety of onerous behavior."