Last week, the Federal Trade Commission (FTC) announced its first-ever financial penalty for a violation of the FTC Health Breach Notification Rule. GoodRx was alleged to have failed to issue notification letters to customers whose PHI was disclosed to third parties such as Google and Facebook via tracking technologies on its website and mobile app. GoodRx said it decided to settle the case and pay a $1.5 million financial penalty to avoid the time and expense of protracted litigation, and that proactive steps were taken to address the issue prior to the FTC investigation. The settlement has yet to be approved by a federal judge.
Several healthcare data breaches have been reported over the past few months that involved impermissible disclosures of protected health information to third parties such as Google, Meta, and others due to the use of tracking technologies on websites and mobile apps. Multiple lawsuits have been filed over those impermissible disclosures, and the GoodRx data breach is no exception.
A lawsuit was filed in the U.S. District Court of the Northern District of California on February 2, 2023, just a few days after the FTC announced the financial penalty. The lawsuit names GoodRx and three of the companies referenced in the FTC announcement as defendants – Google, Meta, and Criteo – and makes similar allegations to the FTC complaint. The lawsuit takes issue with the promise GoodRx made never to disclose the personal and health information of its customers to advertisers and other third parties, and only to use the personal medical data of its customers to fulfill customers’ requests, such as for providing coupons for prescription medications. The lawsuit also takes issue with GoodRx’s claim that the company adheres to Digital Advertising Alliance principles, which include not disclosing health information for online behavioral advertising without content, and for displaying a HIPAA seal on its website suggesting compliance with the Health Insurance Portability and Accountability Act (HIPAA).
The plaintiff and others represented in the lawsuit allege that their personal and health information was disclosed to third parties without their consent, when they had been informed that no such disclosures would occur and that defendants Google, Meta, and Criteo “knowingly and intentionally intercepted plaintiff and class members’ personal information, including health information relating to their medical conditions, symptoms, and prescriptions, communicated through the GoodRx Platform.” The lawsuit claims GoodRx monetized customer data and used the information to serve targeted advertisements based on previous prescriptions and visits to web pages related to birth control and erectile dysfunction medications, that Google, Meta, and Criteo profited from the customer data transmitted by GoodRx, and that the disclosures constituted “an extreme invasion of plaintiff’s and class members’ privacy.”
The lawsuit alleges common law invasion of privacy, intrusion upon seclusion, unjust enrichment, violations of the California Confidentiality of Medical Information Act (CMIA), aiding and abetting violations of CMIA, violations of the California Invasion of Privacy Act, violations of the California Consumers Legal Remedies Act, and violations of the California Business and Professional Code. The lawsuit seeks class action certification, an award of declaratory relief, statutory, actual, compensatory, consequential, punitive, and nominal damages, as well as restitution and/or disgorgement of profits unlawfully obtained.
GoodRx maintains there was no wrongdoing. “Before the FTC reached out to us, we proactively made updates consistent with our commitment to being at the forefront of safeguarding users’ privacy… While we had used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations – and that remains common practice among many health, consumer and government websites – we are proud that we took action to be an industry leader on privacy practices.”
Google confirmed that it prohibits personalized advertising based on sensitive data such as health information and that it has strict policies in place regarding the types of information that can be shared. While Meta has not commented on the GoodRx case, statements have been issued in response to Meta Pixel-related data breaches at HIPAA-regulated entities, confirming Meta prohibits such disclosures and has mechanisms in place that automatically remove sensitive personal data to ensure the information is not sent to advertisers. While Criteo has not commented on the lawsuit, a statement was provided to HIPAA Journal about the FTC allegations. “Criteo’s data policies and privacy practices on our platform prohibit most of the targeted advertising campaigns and programs referenced in the FTC complaint against GoodRx. Consistent with our policies and practices in place with our clients, we can confirm that in connection with our digital advertising services with GoodRx, Criteo never received any personally identifiable information, such as name or email address, or prescription and medical information, such as a user looking at a particular prescription.”
The post Lawsuit Seeks Damages for GoodRx Users for Invasion of Privacy appeared first on HIPAA Journal.