DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Digital Healthcare Platform Ordered to Pay Civil Penalties and Take Corrective Action for Unauthorized Disclosure of Personal Health Information

Posted on February 23, 2023 by Dissent

Following up on the FTC’s February 1 announcement about its enforcement action against GoodRx, the Department of Justice announced yesterday:

The Department of Justice, together with the Federal Trade Commission (FTC), announced today that the government has resolved allegations that GoodRx Holdings Inc., doing business as GoodRx Gold, GoodRx Care, and Hey Doctor (GoodRx), violated the FTC Act and the FTC’s Health Breach Notification Rule. Pursuant to a settlement by the parties, a consent order was entered last Friday by the U.S. District Court for the Northern District of California.

The government’s complaint, filed on Feb. 1, alleges that by disclosing millions of users’ personal health information to third parties without the users’ authorization, consent, or knowledge, GoodRx violated the FTC Act’s prohibition on unfair and deceptive trade practices and the FTC’s Health Breach Notification Rule. The users’ information that was disclosed included personally identifying information, as well as details about medications and sensitive health conditions. GoodRx shared this personal health information despite its repeated assurances that the company would protect users’ privacy. For example, GoodRx’s public policies stated that the company would not provide to third parties any information that revealed a personal health condition or personal health information. The company’s advertising also featured a seal stating that it was “HIPAA Secure: Patient Data Protected,” even though it is not a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and it never complied with HIPAA requirements. Moreover, GoodRx did not comply with the Health Breach Notification Rule’s requirement to notify users that it had disclosed their health information to third parties without their consent.

The stipulated order entered by the Court on Feb. 17 requires GoodRx to pay a civil penalty of $1.5 million and to take corrective action to prevent future unauthorized disclosure of users’ sensitive health information and to ensure compliance with the FTC Act and rules. The order requires that GoodRx notify users that their information was disclosed, bans the company from disclosing health information for advertising purposes, prohibits further misrepresentations and the disclosure of health information without affirmative consent and notice, and requires that users be notified in the event of a future breach. The order also imposes ongoing recordkeeping, certification, monitoring, and compliance obligations.

“Consumers have a right to know whether and how their personal health information will be used, and to know when it has been disclosed to third-parties,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “The Department is committed to enforcing protections against deceptive practices and unauthorized disclosure of personal health information.”

“Companies that misuse their customers’ sensitive health information by sharing that information without their customers’ permission or knowledge will be held accountable,” said U.S. Attorney Stephanie M. Hinds for the Northern District of California. “We will continue to work with our partners at the FTC to protect against the unauthorized disclosure of such sensitive, private information.”

This matter is being handled by Sarah Williams of the Civil Division’s Consumer Protection Branch, Assistant U.S. Attorney Sharanya Mohan for the Northern District of California, and Ronnie Solomon and Denise Oki of the FTC.


The statements made in the complaint are allegations that, if the case had proceeded to trial, the government would have been required to prove by a preponderance of the evidence.


The order and other documents in the case can be found linked from the FTC’s site at https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc

Category: Breach IncidentsCommentaries and AnalysesFederalLegislationOf NoteU.S.

Post navigation

← Trove of L.A. Students’ Mental Health Records Posted to Dark Web After Cyber Hack
Cyberattack on food giant Dole temporarily shuts down North America production, company memo says →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.