The FTC’s Enforcement Action: GoodRx’s Failure to Protect Its Customers’ Personal Health Information

Abhilasha Desai
Associate Editor
Loyola University Chicago School of Law, JD 2024

On February 1, 2023, the Federal Trade Commission (FTC) brought an enforcement action against GoodRx, a provider of telehealth and prescription drug services at discounted rates. In a first-of-its-kind action, the FTC alleged that GoodRx violated the Health Breach Notification Rule (HBNR) by sharing their consumers’ confidential health information with several advertising companies. While GoodRx is already facing a $1.5 million penalty for the violation, the FTC has also proposed an order that will require GoodRx to remedy the situation and make several changes to protect confidential health information in the future.

GoodRx’s violation of the HBNR

While the Health Insurance Portability and Accountability Act (HIPAA) has been around for quite some time, HBNR went into effect in 2009. HIPAA protects the confidentiality of an individual’s private health records; however, it only governs some entities, such as hospitals, doctor’s offices, and insurance companies. For other entities that manage health records but are not governed by HIPAA, the FTC enforces the HBNR. This Rule governs vendors of personal health records (PHRs), a PHR-related entity and their third-party service providers. The HBNR requires such entities to notify consumers, the FTC, and sometimes the media, about any breach concerning personal health information. The FTC defines “vendor of PHRs” as any “entity that offers or maintains a personal health record.” GoodRx falls squarely within this definition.

GoodRx collects personal health information to provide health-related services and products. The FTC stated in its complaint that GoodRx had promised its users that it would only share their information with certain parties and only for limited reasons but would never share it with advertising companies or other third parties. The agency alleged that GoodRx breached this promise several times by providing its users’ personal health information to advertising companies such as Google, Facebook, Criteo, and other third parties. Those companies were able to use this information for their own business reasons, and GoodRx benefitted by allowing these companies to create targeted ads. The FTC alleged that GoodRx acted deceptively and failed to notify its users of their conduct. While GoodRx did not agree with the agency’s allegations, it agreed to pay the $1.5 million penalty.

The FTC’s proposed order and prior warning

Aside from a monetary penalty, the FTC’s proposed order has other provisions that GoodRx will have to comply with if the order is approved by the U.S. District Court for the Northern District of California. The order prohibits GoodRx from sharing a user’s personal health information with others for advertising reasons and requires a user’s consent before information is shared for any other reasons. The order also requires GoodRx to direct third parties to delete information that was shared with them, limits how long GoodRx can retain a user’s information and also requires implementation of a strong privacy program.

GoodRx’s conduct first came to light in 2020. Consumer Reports was one of the organizations that found out about GoodRx’s conduct by using a data capturing tool to monitor internet traffic. The monitoring showed that GoodRx was sharing personal information such as medications and specific ID numbers that could single out one of its users. After Consumer Reports published its article on this matter, GoodRx issued a statement that it would stop sharing personal information with marketing companies and was finding a way for its users to delete their information. Then, in September 2021, the FTC issued a general policy statement as a warning to clarify which entities the HBNR applies to and to remind them that they must come clean about any privacy breaches. The current enforcement action indicates that despite the agency’s warning and GoodRx’s own statement that it would stop sharing personal information, the company failed to abide by the HBNR.

Why the enforcement action was a necessary step

GoodRx has had over 55 million consumers visit or use its website since 2017. There are many companies similar to GoodRx that deal with personal health information. Like GoodRx, if these companies also fail to abide by the HBNR, privacy breaches will increase exponentially, and users will be left without any notification. Many consumers depend on such companies to receive services and health products at more affordable costs. If such breaches occur, it will cause consumers to lose trust in these companies and they will be forced to obtain services and products at higher costs elsewhere. Protecting sensitive information is a major part of the healthcare industry. The FTC’s enforcement action emphasizes the importance of that aspect and should incentivize other companies to ensure that they are adhering to requirements under the HBNR.