DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Digital Healthcare Platform Ordered to Pay Civil Penalties and Take Corrective Action for Unauthorized Disclosure of Personal Health Information

Posted on February 23, 2023 by Dissent

Following up on the FTC’s February 1 announcement about its enforcement action against GoodRx, the Department of Justice announced yesterday:

The Department of Justice, together with the Federal Trade Commission (FTC), announced today that the government has resolved allegations that GoodRx Holdings Inc., doing business as GoodRx Gold, GoodRx Care, and Hey Doctor (GoodRx), violated the FTC Act and the FTC’s Health Breach Notification Rule. Pursuant to a settlement by the parties, a consent order was entered last Friday by the U.S. District Court for the Northern District of California.

The government’s complaint, filed on Feb. 1, alleges that by disclosing millions of users’ personal health information to third parties without the users’ authorization, consent, or knowledge, GoodRx violated the FTC Act’s prohibition on unfair and deceptive trade practices and the FTC’s Health Breach Notification Rule. The users’ information that was disclosed included personally identifying information, as well as details about medications and sensitive health conditions. GoodRx shared this personal health information despite its repeated assurances that the company would protect users’ privacy. For example, GoodRx’s public policies stated that the company would not provide to third parties any information that revealed a personal health condition or personal health information. The company’s advertising also featured a seal stating that it was “HIPAA Secure: Patient Data Protected,” even though it is not a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and it never complied with HIPAA requirements. Moreover, GoodRx did not comply with the Health Breach Notification Rule’s requirement to notify users that it had disclosed their health information to third parties without their consent.

The stipulated order entered by the Court on Feb. 17 requires GoodRx to pay a civil penalty of $1.5 million and to take corrective action to prevent future unauthorized disclosure of users’ sensitive health information and to ensure compliance with the FTC Act and rules. The order requires that GoodRx notify users that their information was disclosed, bans the company from disclosing health information for advertising purposes, prohibits further misrepresentations and the disclosure of health information without affirmative consent and notice, and requires that users be notified in the event of a future breach. The order also imposes ongoing recordkeeping, certification, monitoring, and compliance obligations.

“Consumers have a right to know whether and how their personal health information will be used, and to know when it has been disclosed to third-parties,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “The Department is committed to enforcing protections against deceptive practices and unauthorized disclosure of personal health information.”

“Companies that misuse their customers’ sensitive health information by sharing that information without their customers’ permission or knowledge will be held accountable,” said U.S. Attorney Stephanie M. Hinds for the Northern District of California. “We will continue to work with our partners at the FTC to protect against the unauthorized disclosure of such sensitive, private information.”

This matter is being handled by Sarah Williams of the Civil Division’s Consumer Protection Branch, Assistant U.S. Attorney Sharanya Mohan for the Northern District of California, and Ronnie Solomon and Denise Oki of the FTC.


The statements made in the complaint are allegations that, if the case had proceeded to trial, the government would have been required to prove by a preponderance of the evidence.


The order and other documents in the case can be found linked from the FTC’s site at https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc

Related posts:

  • FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising
  • FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers
  • FTC and HHS Warn Hospital Systems and Telehealth Providers about Privacy and Security Risks from Online Tracking Technologies
  • FTC Finalizes Changes to the Health Breach Notification Rule
Category: Breach IncidentsCommentaries and AnalysesFederalLegislationOf NoteU.S.

Post navigation

← Trove of L.A. Students’ Mental Health Records Posted to Dark Web After Cyber Hack
Cyberattack on food giant Dole temporarily shuts down North America production, company memo says →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.