On
February
1,
2023,
the
Federal
Trade
Commission
announced
that
it
entered
into
a
proposed
order
with
GoodRx,
a
telehealth
and
prescription
drug
discount
provider,
for
violations
of
the
FTC’s
Health
Breach
Notification
Rule
stemming
from
GoodRx’s
unauthorized
disclosures
of
consumers’
personal
health
information
to
third
party
advertisers
and
other
companies.
This
is
the
first
enforcement
action
taken
under
the
FTC’s
Health
Breach
Notification
Rule,
which
was
issued
in
2009.
The
FTC’s
Health
Breach
Notification
Rule
defines
a
“breach
of
security”
as
“acquisition
of
[unsecured
PHR
identifiable
health
information]
without
the
authorization
of
the
individual.”
In
its
2021 Statement
of
the
Commission
on
Breaches
by
Health
Apps
and
Other
Connected
Devices,
the
FTC
reminded
entities
offering
services
covered
by
the
Health
Breach
Notification
Rule
that
“a
‘breach’
is
not
limited
to
cybersecurity
intrusions
or
nefarious
behavior.
Incidents
of
unauthorized
access,
including
sharing
of
covered
information
without
an
individual’s
authorization,
triggers
notification
obligations
under
the
Rule.”
The
complaint
against
GoodRx,
filed
by
the
Department
of
Justice
on
behalf
of
the
FTC
in
the
U.S.
District
Court
for
the
Northern
District
of
California,
alleges
that
GoodRx
violated
the
Health
Breach
Notification
Rule
by
failing
to
notify
consumers,
the
FTC,
and
the
media
about
the
company’s
unauthorized
disclosures
of
consumer’s
health
information
to
third
party
advertising
companies
and
advertising
platforms
including
Facebook,
Google,
and
Criteo,
and
other
third
parties
including
Branch
and
Twilio.
The
alleged
disclosures
were
unauthorized
because
GoodRx
promised
that
it
would
never
share
personal
health
information
with
advertisers
or
other
third
parties.
Notably,
GoodRx
never
provided
notice
of
these
types
of
disclosures
to
customers,
or
obtained
their
consent
thereto.
In
addition
to
allegations
related
to
GoodRx’s
advertising
and
data
sharing
practices,
the
FTC
also
alleged
that
GoodRx
violated
the
FTC
Act
by
misrepresenting
its
HIPAA
compliance
by
displaying
a
seal
on
its
telehealth
homepage
that
falsely
suggested
it
complied
with
the
law,
and
by
failing
to
implement
“sufficient
formal,
written,
or
standard
privacy
or
data
sharing
policies
or
compliance
programs.”
In
addition
to
the
$1.5
million
penalty,
the
proposed
order
would:
-
Prohibit
GoodRx
from
engaging
in
such
marketing
practices; -
Require
GoodRx
to
notify
affected
individuals
of
the
unauthorized
disclosures; -
Require
GoodRx
to
instruct
recipients
of
the
health
information
to
delete
it; -
Require
GoodRx
to
maintain
a
comprehensive
privacy
program; -
Require
GoodRx
to
undergo
a
privacy
assessment
by
a
third
party
auditor; -
Require
GoodRx
to
report
certain
security
incidents
to
the
FTC
within
30
days
of
discovery;
and -
Require
GoodRx
to
submit
to
compliance
reporting,
recordkeeping
and
compliance
monitoring
requirements.