On February 1, 2023, the US Department of Justice brought a first-of-its-kind enforcement action against California-based digital healthcare platform, GoodRx Holdings, Inc. (GoodRx), on behalf of the Federal Trade Commission (FTC). GoodRx offers telemedicine services through its product, HeyDoctor, and allows consumers – using GoodRx’ website or mobile app – to consult with physicians and obtain prescriptions online, among other features. The FTC alleges that GoodRx violated Section 5 of the FTC Act, 15 USC § 45(a)(1) and the Health Breach Notification Rule, 16 CFR § 318, which obligates vendors of personal health records and related entities to notify consumers following a breach of unsecure health information. In addition to the prohibitions and affirmative obligations under the order, GoodRx must pay a $1.5 million civil penalty.
Per the complaint filed in the US District Court for the Northern District of California, between 2017 and 2020 GoodRx shared sensitive user information – e.g., prescription medications and health conditions – with third-party advertisers and advertising platforms without the consumer’s consent, including to target users for health-related advertising campaigns. In addition, the complaint alleges that GoodRx disseminated or caused to be disseminated, false and deceptive statements about its use and disclosure of health and personal information (i.e., the company website stated “we never provide advertisers or any other third parties any information that reveals a personal health condition or personal health information,” and the HeyDoctor homepage attested to its purported compliance with the Health Insurance Portability and Accountability Act (HIPAA)). Moreover, GoodRx failed to implement an adequate written data privacy compliance program, including no policies to govern how health and personal information could be shared or any formal oversight structure, until February 2020.
In a joint motion and stipulated order, the parties agreed that GoodRx shall be permanently enjoined from disclosing health information to third parties for advertising purposes, and Good Rx agreed to refrain from misrepresenting its privacy practices (including compliance with HIPAA) and the purposes for which it collects, maintains or discloses health and personal information. The order requires GoodRx to (i) display clearly and conspicuously the categories of health information that will be disclosed, the identities of the parties to which it will be disclosed, and the purpose of the disclosure; (ii) notify individuals and the FTC of any unauthorized access to consumers’ data, and a senior corporate manager must certify compliance to the FTC annually; (iii) implement a comprehensive written privacy policy, assess and document compliance annually, perform privacy training for all employees, and adhere to an acceptable data retention policy; and (iv) engage a qualified independent assessor to review and report on the company’s privacy and data retention program for 20 years.