On February 1, 2023, the Federal Trade Commission (FTC) announced a complaint against and proposed settlement agreement (the “proposed order”) with GoodRx, a digital health company, over its data sharing practices that allegedly resulted in the disclosure of sensitive health information to third-parties. This is the first enforcement action the FTC has ever brought under the Health Breach Notification Rule (HBNR).1 The commissioners unanimously voted to approve the proposed order, which must be published for public comment before the FTC can approve the final order. The case follows the FTC’s policy statement from September 2021, which signaled the FTC’s intention to target digital health apps and connected devices under the HBNR. The GoodRx final order, if approved by the FTC, would require the company to pay $1.5 million in civil penalties and permanently cease sharing health information with third parties for any advertising purpose, thus demonstrating the FTC’s desire to impose new, aggressive remedies against digital health apps and connected devices.
The Rule
The HBNR requires vendors of personal health records (PHR), PHR-related entities, and third-party service providers to notify consumers and the FTC (and the media, in some cases) if the company experienced a breach of unsecured identifiable health information, or otherwise face civil penalties for violations. The HBNR does not apply to entities already covered by HIPAA (the Health Insurance Portability and Accountability Act of 1996) or their business associates.
Since 2010, the FTC had traditionally taken the position that the HBNR applies only to PHR vendors and PHR related entities when their services allowed consumers to draw information directly from a traditional healthcare entity or professional, e.g., a physician licensed to practice medicine, or an employer sponsored group health plan. But in September 2021, the FTC effectively attempted to broaden the applicability of the HBNR to cover digital health apps and connected devices. In its novel interpretation, the FTC claimed that 1) developers of healthcare apps were healthcare providers furnishing healthcare services, 2) health information on apps could constitute a PHR when information was drawn from multiple sources, and 3) breaches of security were not limited to just cybersecurity events but could also include sharing of information without an individual’s authorization.
GoodRx Complaint Allegations
GoodRx is a digital health company that advertises, distributes, and sells health-related products and services directly to consumers. It is best known for offering discounted prescription medication and telehealth services.
The complaint alleges four main misrepresentations:
- GoodRx stated that it would not share personal health information with third parties but it allegedly did share such information with advertising platforms.
- GoodRx stated that it would only use or disclose users’ personal information for limited purposes, such as in connection with services requested by consumers and that it would seek consent before disclosing information to third parties for purposes beyond providing the service. The FTC alleged that, in fact, it used the information to identify and target users with health-related advertisements on the Facebook and Instagram platforms.
- GoodRx stated that it would take steps to limit third-party use of users’ personal health information, including by ensuring that third parties complied with “federal standards” regarding the treatment of health information and by taking steps to ensure that third parties are subject to confidentiality obligations. The FTC alleged that, in fact, GoodRx failed to take steps to limit third-party use of users’ personal health information, and the third parties did use the information for their own business purposes.
- GoodRx represented that it adhered to the Digital Advertising Alliance’s principles, but the FTC alleged that it did not do so.
The complaint also includes two unfairness counts. First, it alleges that GoodRx failed to implement sufficient policies or procedures to prevent the improper or unauthorized disclosure of users’ personal health information, or to notify users of breaches of that information. Second, it alleges that the failure to provide notice and obtain consent to use health information for advertising was unfair.
Finally, the FTC alleges that GoodRx violated the HBNR by failing to provide notifications to consumers, the FTC, and the media after experiencing “breaches of security,” because third parties acquired more than 500 users' unsecured identifiable health information without their prior authorization.
The Proposed Order
Under the proposed order, GoodRx would be required to pay $1.5 million in civil penalties for violating the HBNR. The proposed order would also require GoodRx to:
- permanently cease the sharing of health data to third parties for advertising purposes;
- obtain users’ affirmative express consent prior to sharing user health information with third parties for a non-advertising purpose;
- provide sufficient notice to the media, the FTC, and each consumer whose unsecured PHR identifiable health information was acquired by an unauthorized third party in accordance with the HBNR;
- require every third party that obtained any consumer health information from GoodRx to delete the information;
- implement a comprehensive privacy program that protects the privacy, security, and confidentiality of consumer’s personal information, including their health information;
- establish, document, and adhere to a data retention schedule that is publicly available with details about the information GoodRx collects and why such collection is necessary; and
- obtain an initial and biannual privacy assessment conducted by an independent, third-party professional.
GoodRx responded to the complaint and proposed order by admitting no wrongdoing. The company also stated that the FTC’s allegations focused on an “old issue that was proactively addressed almost three years ago” and, notably, disagreed with the FTC’s interpretation and application of the HBNR to its use of tracking tools to advertise to consumers.
Observations
The GoodRx case is an example of the FTC’s aggressive enforcement strategy around sensitive health data. Below are some observations:
First, the FTC is committed to enforcing new, expensive, and aggressive remedies under the HBNR. Although this is the FTC’s first case to seek civil penalties under the HBNR, it will likely not be the last, and we might see an increase in the cost for these civil penalties. In her concurrence, FTC Commissioner Christine Wilson stated that she would have supported a larger civil penalty in this case, and she pointed to studies that highlight consumers placing a high value on their health information.
Second, this proposed order would permanently prohibit GoodRx from sharing user health information with third parties for advertising purposes. This novel limitation would prohibit even those data use and sharing practices that consumers affirmatively consent to. The signal from the FTC appears to be consistent with the sentiments the FTC expressed in its Advanced Notice of Proposed Rulemaking, in which it suggested that, given the scale of data use and sharing practices, “consumer consent may be irrelevant.”
Lastly, this case signals the FTC’s plans to continue carrying out novel enforcement actions without formal rulemaking. The FTC has not conducted a proper rulemaking to expand the applicability of the HBNR, but instead only released the policy statement on digital health apps and connected devices in 2021. Notably, the FTC enforced the HBNR against GoodRx for alleged violations that occurred between 2017 and 2020. Companies should expect that the FTC will continue to enforce the HBNR in this expansive manner and may look to practices that occurred even before the FTC’s new interpretation of the HBNR.
Wilson Sonsini routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning cybersecurity compliance or investigations, please contact Maneesha Mithal, Tracy Shapiro, Haley Bavasi, Hale Melnick, Stacy Okoro, or any member of the firm’s privacy and cybersecurity practice.
[1]As of September 15, 2021, the FTC had only received notice of a breach of security from entities covered by the HBNR only four times. Prepared Remarks of Commissioner Rohit Chopra Regarding the FTC Policy Statement on Privacy Breaches by Health Apps and Connected Devices (Sept. 15, 2021), https://www.ftc.gov/system/files/documents/public_statements/1596352/20210915_
final_chopra_oral_remarks_health_breach_notification_rule.pdf.
