On February 1, 2023, the US Department of Justice brought a first-of-its-kind enforcement action against California-based digital healthcare platform, GoodRx Holdings, Inc. (GoodRx), on behalf of the Federal Trade Commission (FTC). GoodRx offers telemedicine services through its product, HeyDoctor, and allows consumers – using GoodRx’ website or mobile app – to consult with physicians and obtain prescriptions online, among other features. The FTC alleges that GoodRx violated Section 5 of the FTC Act, 15 USC § 45(a)(1) and the Health Breach Notification Rule, 16 CFR § 318, which obligates vendors of personal health records and related entities to notify consumers following a breach of unsecure health information. In addition to the prohibitions and affirmative obligations under the order, GoodRx must pay a $1.5 million civil penalty.
Per the complaint filed in the US District Court for the Northern District of California, between 2017 and 2020 GoodRx shared sensitive user information – e.g., prescription medications and health conditions – with third-party advertisers and advertising platforms without the consumer’s consent, including to target users for health-related advertising campaigns. In addition, the complaint alleges that GoodRx disseminated or caused to be disseminated, false and deceptive statements about its use and disclosure of health and personal information (i.e., the company website stated “we never provide advertisers or any other third parties any information that reveals a personal health condition or personal health information,” and the HeyDoctor homepage attested to its purported compliance with the Health Insurance Portability and Accountability Act (HIPAA)). Moreover, GoodRx failed to implement an adequate written data privacy compliance program, including no policies to govern how health and personal information could be shared or any formal oversight structure, until February 2020.