Facts

GoodRx operates a digital health platform that offers prescription drug discounts, telehealth visits, and other health services. As such, they collect personal and health information about its users. Such information includes not just personal identifying information about the users, but also information from pharmacy benefit managers confirming when consumers purchase medication using a GoodRx coupon. On February 1, 2023, the United States, on behalf of the Federal Trade Commission (FTC), filed suit in USDC Northern, pursuant to the Health Breach Notification Rule.

PLAINTIFF'S CONTENTIONS: Plaintiff contended that defendant violated the Health Breach Notification Rule by failing to notify consumers, the FTC, and the media about the company's unauthorized disclosure of individually identifiable health information to entities such as Facebook, Google, Criteo, Branch, and Twilio. Specifically, plaintiffs alleged that defendant's actions--disclosing consumers' health and personal information to third parties; failing to limit third-party use of that health information; misrepresenting that the health information was protected under the Health Insurance Portability and Accountability Act; failing to implement sufficient policies or procedures to prevent the improper or unauthorized disclosure of the health information; failing to notify users of breaches of that information; and failing to provide notice and obtain consent before use and disclosure of health information for advertising--were deceptive and unfair acts or practices in violation of Section 5 of the FTC Act.

DEFENDANT'S CONTENTIONS: Defendant neither admitted nor denied the complaint's allegations except as specified by the court order.

Result

By stipulated judgment, defendant will pay $1.5 million in penalties and was permanently prohibited from engaging in the deceptive practices outlined in the complaint, including a prohibition of sharing health data for ads; requiring an affirmative express consent from users before disclosure of their health information to third parties; mandating that third parties must delete shared consumer health data; and informing consumers about any breaches to their personal information. Other limitations were also placed on how long defendant could retain personal and health information data, including posting that retention schedule and detailing the information it collected and why that information was necessary.