In its first enforcement action under the Health Breach Notification Rule, the Federal Trade Commission fined GoodRx for disclosing customers' private health information to marketers.
The FTC submitted an order to the Department of Justice that, among other restrictions, forbids GoodRx from disclosing user health information to third parties for marketing purposes. Despite the fact that the corporation denied any wrongdoing, GoodRx has also agreed to pay a $1.5 million fine. A federal judge must approve the order before it becomes effective.
Regulators are working harder than ever to rein in businesses that exploit consumers' health information through data practices that are not covered by existing legislation. With health applications tracking everything from diabetes to fertility to heart health to sleep, the U.S. lacks comprehensive privacy regulation, which has led to a proliferation of data sharing, including that of extremely sensitive medical information, between organizations and advertising.
Regulators are thus using innovative tools to rein in the practice, such as the Health Breach Notification Rule. When consumer data is released or obtained without their consent, the HBNR mandates that health applications and other connected devices notify users and the FTC.
In a briefing, FTC officials stated that the agency places a high importance on upholding the HBNR to safeguard people's health privacy and that other health apps should take the rule's requirements seriously or prepare for government action.
On possible ongoing investigations, officials chose not to comment.
Through a digital health platform, California-based GoodRx provides savings on prescription medications, telehealth visits, and other healthcare services. When a customer uses a GoodRx voucher to purchase medicine, the firm acquires personal and health data on that customer from both the customer and their pharmacy benefit managers.
According to the FTC, over 55 million individuals have accessed or utilized GoodRx's website or applications since January 2017.
In contravention of its privacy commitments and without reporting the improper disclosures, GoodRx allegedly shared users' information with advertisers like Google and Facebook for years. Additionally, GoodRx exchanged user information with web engagement firm Twilio, client acquisition platform Branch, and online advertising Criteo.
In order to target the same individuals with tailored, health-related adverts on Facebook and Instagram, GoodRx monetized users' personal health information and leveraged data it provided with Facebook. For instance, according to the FTC, in 2019 GoodRx compiled lists of customers who had purchased drugs to treat conditions like high blood pressure and heart disease and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so the social media platform could recognize their profiles and target them with ads.
Additionally, GoodRx misrepresented compliance with laws requiring corporations to obtain consent before utilizing health information for advertising while enabling third parties with whom it shared data to use it for marketing and R&D.
The business misrepresented its adherence to the HIPAA privacy legislation. The homepage of the GoodRx telehealth website had a seal that falsely suggested that it conformed with HIPAA, according to FTC authorities. This was considered one of misleading and unfair business practices.
The FTC's proposed decision would permanently prohibit GoodRx from sharing user health information with third parties for advertising reasons in addition to the $1.5 million fine.
Before disclosing users' data for any other reason, GoodRx would need to obtain their express consent. According to FTC authorities, consent must be given in a manner that is distinct from a privacy policy or terms of service and must be clear, obvious, and simple to comprehend.
Additionally, the ruling would place a time restriction on how long GoodRx may keep user data and mandate that GoodRx instruct third parties to erase any provided user health data.
According to GoodRx, the data-sharing problem was settled over three years ago, before the FTC investigation started, and the company consented to the settlement to avoid the time and expense of going to court.
A representative told Healthcare Dive, "We do not agree with the FTC's allegations and we admit no wrongdoing."
Compared to previous administrations, the Biden administration has been more aggressive in restricting data sharing. Since the Supreme Court rejected the constitutional right to an abortion this summer, enforcement has increased even more, raising worries that information may be used to arrest those who obtain or assist in abortions.
The FTC filed a lawsuit against data broker Kochava in August for selling geolocation information for hundreds of millions of mobile devices that may be used to track consumers' whereabouts, including their travels to and from delicate sites like gynecological clinics.
Since the Supreme Court's ruling, a number of data brokers and tech firms, including data brokers SafeGraph and Placer.ai, have announced plans to stop providing access to geolocation data surrounding reproductive health clinics or other sensitive places. Google promised to automatically remove location information that revealed whether users visited an abortion facility.
However, other supporters contend that digital firms aren't going far enough to safeguard customers. Ten state attorneys general requested Apple to impose more stringent privacy regulations for third-party applications that collect private medical data in November.
Additionally, it could soon be more challenging to gather, examine, and profit from American citizens' information. The FTC put forward a regulatory proposal last summer to impose stricter regulations on companies that gather and sell consumer data in order to strengthen protections for Americans' data privacy.
More than 11,000 comments have been sent to the agency about the idea so far.