Cecily Zamora
GoodRx Holdings Inc. is a digital health platform that offers prescription drug discounts, telehealth visits, and other health services. In February 2023, the Department of Justice, together with the Federal Trade Commission (FTC), resolved allegations that GoodRx violated the FTC Act and the FTC's Health Breach Notification Rule by disclosing users' personal health information to third parties without their authorization. GoodRx shared details about medications and sensitive health conditions with companies like Facebook, Google, and Criteo, despite assurances that it would protect users' privacy and comply with HIPAA requirements. As a result, GoodRx was ordered to pay a $1.5 million civil penalty and take corrective action to prevent future unauthorized disclosures of user information. This case highlights the importance of protecting consumers' sensitive health data and enforcing compliance with privacy laws and regulations.
| Characteristics | Values |
|---|---|
| Date | 22nd February 2023 |
| Allegation | GoodRx violated the FTC Act's prohibition on unfair and deceptive trade practices and the FTC's Health Breach Notification Rule |
| Action | The Department of Justice and the Federal Trade Commission announced that the government had resolved the allegations |
| Outcome | GoodRx was ordered to pay a civil penalty of $1.5 million and take corrective action to prevent future unauthorized disclosure of users' sensitive health information |
| Misrepresentation | GoodRx misrepresented its HIPAA compliance by falsely suggesting it complied with the Health Insurance Portability and Accountability Act (HIPAA) |
| User Data | GoodRx shared personal health information with third-party advertising companies and platforms without user authorization |
| User Consent | GoodRx failed to obtain user consent for sharing health data for advertising purposes |
| User Rights | GoodRx violated user rights by not allowing them to request a restriction on the use or disclosure of their Protected Health Information |
What You'll Learn
- GoodRx's unauthorized disclosure of personal health information
- GoodRx's misrepresentation of HIPAA compliance
- GoodRx's failure to notify users of data breaches
- GoodRx's failure to implement policies to protect personal health information
- GoodRx's sharing of personal health information with third parties
GoodRx's unauthorized disclosure of personal health information
On February 22, 2023, the Department of Justice, together with the Federal Trade Commission (FTC), resolved allegations that GoodRx Holdings Inc. violated the FTC Act and the FTC's Health Breach Notification Rule. The government's complaint, filed on February 1, alleged that GoodRx disclosed millions of users' personal health information to third parties without their authorization, consent, or knowledge. This included personally identifying information, as well as details about medications and sensitive health conditions.
GoodRx shared this personal health information despite its repeated assurances that the company would protect users' privacy. For example, GoodRx's public policies stated that the company would not provide to third parties any information that revealed a personal health condition or personal health information. The company's advertising also featured a seal stating that it was "HIPAA Secure: Patient Data Protected," even though it is not a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and it never complied with HIPAA requirements.
The FTC complaint further alleged that GoodRx violated the FTC Act by sharing sensitive personal health information with advertising companies and platforms, including Facebook, Google, and Criteo, contrary to its privacy promises. GoodRx also failed to report these unauthorized disclosures as required by the Health Breach Notification Rule.
As a result of these allegations, GoodRx was ordered to pay a civil penalty of $1.5 million and to take corrective action to prevent future unauthorized disclosure of users' sensitive health information. The order also included ongoing record-keeping, certification, monitoring, and compliance obligations.
This case highlights the importance of protecting consumers' sensitive health information and the need for companies to uphold their privacy promises. It serves as a reminder that digital health companies and mobile apps should not misuse or exploit consumers' personal health information for financial gain.
Coretta King: Lawbreaker or Law-abiding Citizen?
You may want to see also
GoodRx's misrepresentation of HIPAA compliance
GoodRx, a California-based digital health platform, has been accused of misrepresenting its compliance with the Health Insurance Portability and Accountability Act (HIPAA). Despite claiming to be "HIPAA Secure" in its advertising and featuring a seal suggesting compliance with the Act on its telehealth services homepage, GoodRx is not a covered entity under HIPAA and has never complied with its requirements.
The Department of Justice and the Federal Trade Commission (FTC) announced that GoodRx Holdings Inc. had resolved allegations that it violated the FTC Act and the FTC's Health Breach Notification Rule. The government's complaint, filed on February 1, 2023, alleged that GoodRx disclosed millions of users' personal health information to third parties without their authorization, consent, or knowledge. This included personally identifying information and details about medications and sensitive health conditions.
GoodRx shared this information despite its public policies stating that it would not provide third parties with any information that revealed personal health conditions or personal health information. The company's actions violated the FTC Act's prohibition on unfair and deceptive trade practices.
The FTC complaint also alleged that GoodRx:
- Shared personal health information with Facebook, Google, Criteo, and others, despite promising its users it would never do so.
- Used personal health information to target its users with ads on Facebook and Instagram.
- Failed to limit third-party use of personal health information, allowing it to be used for research and development or to improve advertising.
- Failed to implement policies to protect personal health information, with no sufficient formal, written, or standard privacy or data-sharing policies in place until its actions were publicly revealed in February 2020.
As a result of these allegations, GoodRx was ordered to pay a $1.5 million civil penalty and take corrective action to prevent future unauthorized disclosures of users' sensitive health information. The order also included ongoing record-keeping, certification, monitoring, and compliance obligations.
Did Martin Luther King Jr. Break Any Laws?
You may want to see also
GoodRx's failure to notify users of data breaches
GoodRx failed to notify its users of data breaches, despite being required to do so by the Health Breach Notification Rule. The company disclosed millions of users' personal health information to third parties without their authorization, consent, or knowledge. This included personally identifying information, as well as details about medications and sensitive health conditions.
GoodRx shared this personal health information despite repeatedly assuring its users that the company would protect their privacy. For example, GoodRx's public policies stated that the company would not provide any information to third parties that revealed a personal health condition or personal health information. The company's advertising also featured a seal stating that it was "HIPAA Secure: Patient Data Protected," even though it is not a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and it never complied with HIPAA requirements.
GoodRx's failure to notify its users of the data breaches resulted in a settlement with the Federal Trade Commission (FTC) and the Department of Justice. As part of the settlement, GoodRx was ordered to pay a $1.5 million civil penalty and take corrective action to prevent future unauthorized disclosure of users' sensitive health information. The order also requires GoodRx to notify users that their information was disclosed, bans the company from disclosing health information for advertising purposes, and requires that users be notified in the event of any future breaches.
GoodRx's actions violated the trust of its users and led to a significant financial penalty. The company's failure to notify users of the data breaches highlights the importance of transparency and accountability in handling sensitive personal information.
Black Panthers: Lawbreakers or Freedom Fighters?
You may want to see also
GoodRx's failure to implement policies to protect personal health information
GoodRx failed to implement policies to protect its users' personal health information. Until a consumer watchdog publicly revealed GoodRx's actions in February 2020, GoodRx had no sufficient formal, written, or standard privacy or data-sharing policies or compliance programs in place.
GoodRx violated the Health Insurance Portability and Accountability Act (HIPAA) by disclosing millions of users' personal health information to third parties without the users' authorization, consent, or knowledge. GoodRx shared this personal health information despite its repeated assurances that the company would protect users' privacy. For example, GoodRx's public policies stated that the company would not provide to third parties any information that revealed a personal health condition or personal health information. The company's advertising also featured a seal stating that it was "HIPAA Secure: Patient Data Protected," even though it is not a covered entity under HIPAA and it never complied with HIPAA requirements.
GoodRx also violated the Health Breach Notification Rule by failing to notify consumers, the Federal Trade Commission (FTC), and the media about the company's unauthorized disclosure of individually identifiable health information to Facebook, Google, Criteo, Branch, and Twilio.
To remedy GoodRx's numerous allegations, a proposed federal court order prohibits the company from engaging in the deceptive practices outlined in the complaint and requires GoodRx to comply with the Health Breach Notification Rule. Other provisions of the proposed order against GoodRx include:
- Prohibiting the sharing of health data for advertising purposes
- Requiring user consent for any other sharing of health information
- Requiring the company to seek deletion of data from third parties
- Limiting retention of data
- Implementing a mandated privacy program with strong safeguards to protect consumer data
Lease-Breaking Laws in Florida: What You Need to Know
You may want to see also
GoodRx's sharing of personal health information with third parties
GoodRx, a California-based digital health platform, has been accused of sharing its users' personal health information with third parties without their authorization, consent, or knowledge. The company shared sensitive personal health information, including prescription medications and personal health conditions, with third-party advertising companies and platforms such as Facebook, Google, Criteo, Branch, and Twilio. This was a violation of its own privacy promises, as well as the FTC Act and the FTC's Health Breach Notification Rule.
GoodRx collects personal and health information about its users, including information provided by the users themselves and data from pharmacy benefit managers confirming when a consumer purchases medication using a GoodRx coupon. The company also collects precise location information, such as GPS data, when users request information about the nearest pharmacy.
GoodRx's privacy policy states that it does not sell personal medical information and does not provide personally-identifiable medical information to third parties in exchange for payment. However, Shoshana Wodinsky, a journalist at Gizmodo, discovered that her usage information, such as how often she opened or closed the app, was shared with Branch and Facebook, while Braze and Google Analytics received data about the name of her pharmacy and her specific prescriptions.
GoodRx has exploited loopholes in government regulations and the fact that it is not a covered entity under HIPAA, as it is not a health plan, health care clearinghouse, or healthcare provider. As a result, GoodRx has not been required to comply with HIPAA's privacy and information security protections for health data.
To address these concerns, the Department of Justice and the Federal Trade Commission (FTC) took enforcement action against GoodRx. A proposed order, filed by the Department of Justice on behalf of the FTC, prohibits GoodRx from sharing user health data with applicable third parties for advertising purposes and requires the company to pay a $1.5 million civil penalty. The order also includes provisions to prohibit the sharing of health data for ads, require user consent for any other sharing, direct third parties to delete consumer health data, limit data retention, and implement a comprehensive privacy program.
Andrew Carnegie: Lawbreaker or Law-Abiding?
You may want to see also
Frequently asked questions
No, GoodRx is not bound by HIPAA laws as it is not a covered entity under HIPAA. However, GoodRx was found to have broken its promises to users about how it would use and share their personal health information. GoodRx shared information about users' health conditions and prescription drugs with digital advertisers without users' permission.
GoodRx was required to pay a civil penalty of $1.5 million and take corrective action to prevent future unauthorized disclosure of users' sensitive health information. The company is now prohibited from sharing health data with third parties that would use it for advertising and must obtain users' permission to share health data for any other purpose.
Violating HIPAA laws can result in civil and criminal penalties. Civil penalties for covered entities or business associates start at $137 per violation and can rise to $2,067,813 when a violation is due to willful neglect and not corrected within 30 days. Criminal penalties for individuals and organizations can include fines and imprisonment.
Here are some ways to protect your privacy:
- Opt out of targeted ads if possible.
- Check if you can customize your privacy settings and limit access to only the information the app needs.
- Find out if you have the right to request that a company delete your data.
