Getty Images/Tetra images RF

DOJ Finalizes FTC Settlement With GoodRx Over Alleged Health Breach Notification Rule Violations

Following allegations of Health Breach Notification Rule violations, GoodRx agreed to pay a civil monetary penalty of $1.5 million and notify users that their information was disclosed, the DOJ announced.

The Department of Justice (DOJ) and the Federal Trade Commission (FTC) have officially resolved allegations against GoodRx surrounding violations of the FTC Act and the Health Breach Notification Rule.

As previously reported, the DOJ (on behalf of the FTC) filed a proposed order on February 1 to prohibit GoodRx from sharing health data with third parties for advertising purposes.

The government’s initial complaint alleged that “by disclosing millions of users’ personal health information to third parties without the users’ authorization, consent, or knowledge, GoodRx violated the FTC Act’s prohibition on unfair and deceptive trade practices and the FTC’s Health Breach Notification Rule.”

“The users’ information that was disclosed included personally identifying information, as well as details about medications and sensitive health conditions. GoodRx shared this personal health information despite its repeated assurances that the company would protect users’ privacy,” the DOJ stated.

Specifically, the complaint alleged that GoodRx leveraged third-party tracking pixels and “plug and play” software development kits from companies like Facebook, Google, Criteo, Branch, and Twilio that allegedly gathered sensitive data and used it for advertising purposes.

GoodRx responded to the February 1 filing and expressed that it did not agree with the FTC’s allegations but agreed to the settlement to avoid litigation.

The DOJ’s latest announcement affirms that the court approved the proposed order, and the settlement is set to take effect. GoodRx will pay a $1.5 million civil penalty to resolve the allegations. In addition, the order requires GoodRx to notify users that their information was improperly disclosed and bans GoodRx from disclosing health information for advertising purposes in the future.

“Consumers have a right to know whether and how their personal health information will be used, and to know when it has been disclosed to third-parties,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division.

“The Department is committed to enforcing protections against deceptive practices and unauthorized disclosure of personal health information.” 

GoodRx will also be prohibited from further disclosing health data without affirmative consent and notice.

“Companies that misuse their customers’ sensitive health information by sharing that information without their customers’ permission or knowledge will be held accountable,” said U.S. Attorney Stephanie M. Hinds for the Northern District of California. “We will continue to work with our partners at the FTC to protect against the unauthorized disclosure of such sensitive, private information.”

Next Steps

Dig Deeper on HIPAA compliance and regulation