On February 1, 2023, the Federal Trade Commission (FTC) announced that it has taken enforcement action for the first time under its Health Breach Notification Rule (HBNR) against GoodRx Holdings Inc. (GoodRx), for allegedly failing to notify consumers and others about unauthorized disclosures of personal health information to advertisers and other third parties. GoodRx and the FTC have stipulated to a proposed order, which, if approved by the court, would require GoodRx to pay $1.5 million and prohibit it from sharing users’ health information with third-party advertisers.

The FTC alleges that GoodRx participated in deceptive and unfair acts in violation of the FTC Act, including allegations that GoodRx unlawfully shared its users’ personal health information with third party advertising companies, misrepresented compliance with the Digital Advertising Alliance Principles and HIPAA, failed to implement policies or procedures to protect personal health information, and failed to notify and obtain consent before the use and disclosure of health information for advertising. The FTC also alleges that GoodRx violated the HBNR with respect to notifying consumers, the FTC, and the media about unauthorized disclosure of identifiable health information.

The main basis for these allegations is GoodRx’s alleged disclosure of health-related data to advertising platforms through tracking tools, such as pixels. These tracking tools allegedly recorded and transmitted sensitive information to third parties through “events,” i.e., actions taken on GoodRx’s websites. For example, the complaint alleges that, when a user accessed a GoodRx coupon for a medication, a Facebook pixel recorded the medication name and related health condition associated with the coupon under the event names “Drug Name” and “Drug Category.” In addition to pixels that conveyed drug information, the complaint also describes another pixel on GoodRx’s telehealth website. This pixel transmitted the specific URL that a user visited within GoodRx’s treatment pages prior to beginning a telehealth consultation. The treatment page URLs directly referenced a health condition, such as ‘www.heydoctor/goodrx.com/services/hyperlipidemia,’ which linked to GoodRx’s treatment services for high cholesterol.

The government alleges that ultimately, this information sharing enabled GoodRx, through the use of digital advertisers and their platforms, to target users with advertisements based on health conditions and drug purchases associated with the user. GoodRx did not seek specific contractual assurances from digital advertisers to protect the health information. Rather, GoodRx agreed to their standard terms of use and/or entered into agreements that permitted digital advertisers to use the health information for their own internal business purposes.

DOJ and GoodRx stipulated to a proposed order, which requires court approval. The stipulated proposed order seeks a $1.5 million civil penalty and the following other restrictions against GoodRx:

• Prohibition on the sharing of health information for advertising: The proposed order would permanently enjoin GoodRx from disclosing user health information with applicable third parties for advertising purposes.
• Prohibition on the disclosure of health information without consent and notice: The proposed order would restrict GoodRx from disclosing user health information with applicable third parties for other purposes without first obtaining users’ affirmative express consent. The order would also require GoodRx to clearly and conspicuously state the categories of health information that it will disclose to third parties and the purposes for disclosure.
• Notifications after breach: The proposed order would require GoodRx to notify each individual, the FTC, and the media following the discovery of unauthorized acquisition of the individuals’ identifiable health information.
• Deletion of data: The proposed order would require GoodRx to instruct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches and the FTC’s enforcement action.
• Privacy program and limited retention of data: The proposed order would require GoodRx to establish and maintain a comprehensive privacy program that includes strong safeguards to protect consumer data. The proposed order would also require GoodRx to limit how long it can retain personal and health information according to a publicly posted data retention schedule.
• Compliance reporting: If approved, the proposed order, would require GoodRx to submit annual compliance reports to the FTC.

The GoodRx complaint carries several lessons for all healthcare providers. The FTC is continuing its privacy and security enforcement focus on with respect to health information. The FTC’s enforcement has been focused on (i) health information that gets transmitted for marketing purposes, (ii) insufficient disclosure to consumers about the use of health information, and (iii) agreements with vendors that may have access to health information. It appears that the FTC expects every healthcare provider that has any online presence (e.g., websites, apps) to monitor the use and disclosure of visitor identifying information.

The FTC’s complaint is available here, and the proposed order is available here. An FTC press release announcing the proposed order is available here.