GoodRx has recently come under fire for breaking its privacy promises and the HBNR (Health Breach Notification Rule) by sharing consumers’ personal health information without authorization.
GoodRx started out as a digital health platform for comparing medicine prices but later added telehealth services to its list of services. The business has agreements with pharmacy benefit managers to offer users coupons for reduced prescription medication. GoodRx offers consumers vouchers that can be redeemed at nearby pharmacies with the name of a drug, dosage, and geographical information. In order to target advertisements on those platforms to its customers and previous site visitors, GoodRx provided some of this information—along with personal identifiers—with companies including Facebook, Google, and Criteo, according to the FTC complaint.
The Federal Trade Commission (FTC) has charged GoodRx with violating Section 5 of the FTC Act and the Health Breach Notification Rule, resulting in a $1.5 million civil penalty.
This is the FTC’s first-ever enforcement decision under the Health Breach Notification Rule (HBNR), which requires vendors of personal health records or PHR-related entities to notify consumers, the FTC, and the media in certain situations when they discover certain data breaches.
What Constitutes a Data Breach?
The novel decision comes in the footsteps of the FTCs recent expansion of the HBNR to consider unauthorized disclosures of personal information as a potential data breach. Instead of what we usually think constitutes a data breach, GoodRx was sharing customer health information with advertisers and other third-party marketing partners without the users’ consent. The FTC is serious about moving through with its broad interpretation of the HBNR, as seen by its conclusion that this illegal trade is sufficient to count as a “breach” of personally identifiable health information.
Key takeaways for businesses that deal with health information:
- Review targeted advertising practices
- Ensure compliance with the HBNR (health breach notification rule)
- Continuously monitor third-party use of personal data
- Implement controls that protect personal health information