The FTC continues to demonstrate its seriousness about enforcing consumer privacy protections. In February 2023, the FTC and GoodRx Holdings Inc., a prescription drug discount provider, reached a $1.5 million settlement for violations of the Health Breach Notification Rule, the first enforcement of a rule introduced in 2009.
In 2009, the Federal Trade Commission issued the Health Breach Notification Role, which governs vendors’ responsibility to consumers whose personal health records it holds, including a responsibility to ‘notify consumers following a breach involving unsecured information.” In light of the FTC’s recent increase in regulatory actions related to consumer privacy (such as its actions against Epic Games, Drizly and its CEO, and Vonage), organizations must be prepared to demonstrate compliance with all the regulations in its toolkit.
According to the FTC, GoodRx violated the rule by sharing personal health information from its 55 million users (and failing to report the unauthorized disclosure) with Facebook, Google, Criteo, and other digital advertisers for years, while attempting to give the impression that it was HIPAA compliant. The information, which included prescriptions and health conditions, was used to target users with personalized, health-related ads on digital platforms. The advertisers in turn used the PHI for their own purposes.
While much has changed in the realm of privacy regulation since the Act’s original crafting in 2009 (and even since it was updated in 2020), the most important aspect of this action is that it demonstrates the FTC’s seriousness about protecting consumers using any and every regulation at its disposal. In its press release, Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, explained, “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
While the $1.5 million settlement is not as large as other recent FTC actions, GoodRx must undertake a number of remedies to address its violations of the Health Breach Notification Rule. They include:
- A prohibition on sharing user health data for advertising
- Requiring clear, express consent for PHI sharing for other purposes
- The deletion of consumer PHI by third parties with whom GoodRx shared it
- Implementing and documenting a data retention schedule for health information
- Implementing a comprehensive privacy program to protect consumer data
The Department of Justice filed the complaint with the US District Court for the Northern District of California, which must approve the order for it to be finalized.
The case demonstrates a key point to understanding compliance issues in many organizations; “never attribute to malice what can equally be attributed to ignorance.”
Many times in privacy, there is not a conscious desire to violate or run the risk of violating the law – it is more that there is a failure to engage in the right processes, such as privacy impact assessments, or a failure to have a complete understanding of what personal information one has, how it is flowing in the organization and what is being shared with third parties. Ultimately, these also signify a failure in accountability – the responsibility at all levels of the organization to be responsible for the uses of personal information, and to clearly link those uses to valid and legal bases on which they can be used and shared.
Ultimately, it can be summarized as a failure in data governance; the beginning of the means with which to address this is that data inventory and mapping, so that the data, the uses, and the risks can be understood – and accountability for decisions about the uses, be made consciously by appropriate levels within the organization.
Conducting a data inventory helps you understand what data you hold, where, and how you use it—but there are barriers that can make it difficult to conduct one. Learn how to overcome the challenges to a successful data inventory in a recent Exterro whitepaper.
Download the PDF version of this Data Privacy Alert here.