Following up on the FTC’s February 1 announcement about its enforcement action against GoodRx, the Department of Justice announced yesterday:
The Department of Justice, together with the Federal Trade Commission (FTC), announced today that the government has resolved allegations that GoodRx Holdings Inc., doing business as GoodRx Gold, GoodRx Care, and Hey Doctor (GoodRx), violated the FTC Act and the FTC’s Health Breach Notification Rule. Pursuant to a settlement by the parties, a consent order was entered last Friday by the U.S. District Court for the Northern District of California.
The government’s complaint, filed on Feb. 1, alleges that by disclosing millions of users’ personal health information to third parties without the users’ authorization, consent, or knowledge, GoodRx violated the FTC Act’s prohibition on unfair and deceptive trade practices and the FTC’s Health Breach Notification Rule. The users’ information that was disclosed included personally identifying information, as well as details about medications and sensitive health conditions. GoodRx shared this personal health information despite its repeated assurances that the company would protect users’ privacy. For example, GoodRx’s public policies stated that the company would not provide to third parties any information that revealed a personal health condition or personal health information. The company’s advertising also featured a seal stating that it was “HIPAA Secure: Patient Data Protected,” even though it is not a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and it never complied with HIPAA requirements. Moreover, GoodRx did not comply with the Health Breach Notification Rule’s requirement to notify users that it had disclosed their health information to third parties without their consent.
The stipulated order entered by the Court on Feb. 17 requires GoodRx to pay a civil penalty of $1.5 million and to take corrective action to prevent future unauthorized disclosure of users’ sensitive health information and to ensure compliance with the FTC Act and rules. The order requires that GoodRx notify users that their information was disclosed, bans the company from disclosing health information for advertising purposes, prohibits further misrepresentations and the disclosure of health information without affirmative consent and notice, and requires that users be notified in the event of a future breach. The order also imposes ongoing recordkeeping, certification, monitoring, and compliance obligations.
“Consumers have a right to know whether and how their personal health information will be used, and to know when it has been disclosed to third-parties,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “The Department is committed to enforcing protections against deceptive practices and unauthorized disclosure of personal health information.”
“Companies that misuse their customers’ sensitive health information by sharing that information without their customers’ permission or knowledge will be held accountable,” said U.S. Attorney Stephanie M. Hinds for the Northern District of California. “We will continue to work with our partners at the FTC to protect against the unauthorized disclosure of such sensitive, private information.”
This matter is being handled by Sarah Williams of the Civil Division’s Consumer Protection Branch, Assistant U.S. Attorney Sharanya Mohan for the Northern District of California, and Ronnie Solomon and Denise Oki of the FTC.
The statements made in the complaint are allegations that, if the case had proceeded to trial, the government would have been required to prove by a preponderance of the evidence.
The order and other documents in the case can be found linked from the FTC’s site at https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc