The Federal Trade Commission’s Health Breach Notification Rule requires vendors of personal health records and related entities to issue notifications to consumers in the event of a breach of unsecured personal records. The rule took effect in 2009, yet compliance has not been enforced. That has now changed. Yesterday, the FTC issued its first penalty for noncompliance with the Health Breach Notification Rule to the prescription drug provider, GoodRx Holdings Inc, which has been ordered to pay a financial penalty of $1.5 million.
In September 2021, the FTC issued a policy statement announcing its intention to start actively enforcing the Health Breach Notification Rule with a focus on health apps, which are generally not covered by HIPAA and data breaches are therefore not subject to the notification requirements of the HIPAA Breach Notification Rule. Two guidance documents – Health Breach Notification Rule: The Basics for Business – and Complying with FTC’s Health Breach Notification Rule – were published in January 2022 that clearly explained which entities are covered by the Health Breach Notification Rule, the types of events that require notifications to consumers, and how notifications should be issued. The first financial penalty was imposed almost a year to the day after the guidance was issued for the failure to notify consumers about unauthorized disclosures of their personal health information to Facebook, Google, Criteo, and others for advertising purposes.
GoodRx is a Santa Monica, CA-based provider of a telemedicine platform that includes a free-to-use website and mobile app that consumers can use to track prescription drug prices and obtain coupons that provide discounts on medications. The platform can also be used to arrange telehealth visits and access other health services. Users of the service provide personal and health information GoodRx, which also collects data from pharmacy benefit managers when users make purchases using GoodRx coupons. Since January 2017 more than 55 million consumers have used the GoodRx website and mobile app.
FTC Identifies Multiple Privacy Violations and Deceptive Businesses Practices
According to the FTC complaint, GoodRx violated the FTC Act and its own privacy policy by sharing the sensitive personal and health information of its users with tech firms and social media websites without notifying users about those disclosures or obtaining consent to do so.
GoodRx told users of its website and mobile app that their personal health information would never be shared with advertisers or other third parties; however, the FTC determined that since at least 2017 GoodRx repeatedly violated that promise and shared personal health information with third parties such as Facebook, Google, Criteo, Branch, Twilio, and others for advertising purposes, including information about users’ health conditions and their prescription medications.
The personal health information of users was monetized and the data shared with Facebook was used to target its own users with adverts on Meta platforms such as Facebook and Instagram. The FTC cited one such example from 2019 where GoodRx compiled lists of users who had purchased certain medications for heart disease and blood pressure, then uploaded their email addresses, phone numbers, and advertising IDs to Facebook to allow those users to be identified in order to serve them with targeted health-related advertisements.
GoodRx also permitted third parties such as Facebook to use the shared data for their own internal purposes, while falsely claiming compliance with Digital Advertising Alliance principles, which require consent to be obtained before using health information for advertising purposes. GoodRx also misrepresented HIPAA compliance by displaying a seal on its telehealth services homepage falsely claiming it was in compliance with the HIPAA Rules. The company also failed to implement appropriate policies and procedures to protect the personal and health information of its users, and only implemented formal, written, privacy, and data-sharing policies when its data practices were publicly revealed by a consumer watchdog in February 2020.
The FTC said GoodRx was in violation of the Health Breach Notification Rule for failing to notify consumers of the impermissible disclosures of their personal health information, and the severity of those violations warranted a financial penalty. In addition to the financial penalty, GoodRx is prohibited from sharing the health data of its users for advertising purposes, must obtain consent from users for any other data sharing, must direct the third parties to whom health data were disclosed to delete that information, and must implement a comprehensive privacy program. The proposed penalty is now awaiting approval from the federal court.
“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
GoodRx issued a statement about the proposed penalty saying that the FTC investigation concerns an old issue that was addressed almost 3 years ago before the FTC even started investigating the alleged impermissible disclosures and maintains there was no wrongdoing, and the decision was taken to settle the investigation avoid the time and expense of protracted litigation. “In fact, almost three years ago, before the FTC reached out to us, we proactively made updates consistent with our commitment to being at the forefront of safeguarding users’ privacy,” explained GoodRx. “While we had used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many health, consumer and government websites, we are proud that we took action to be an industry leader on privacy practices. We are glad to put this matter behind us so we can continue focusing on being a trusted source for Americans to find affordable and convenient healthcare.”
Criteo issued a statement to HIPAA Journal regarding the FTC allegations. “Criteo’s data policies and privacy practices on our platform prohibit most of the targeted advertising campaigns and programs referenced in the FTC complaint against GoodRx. Consistent with our policies and practices in place with our clients, we can confirm that in connection with our digital advertising services with GoodRx, Criteo never received any personally identifiable information, such as name or email address, or prescription and medical information, such as a user looking at a particular prescription.”
The post FTC Issues First Financial Penalty for a Health Breach Notification Rule Violation appeared first on HIPAA Journal.