Home > Insights > Blogs > Cybersecurity Bits and Bytes > FTC issues fine to GoodRx over information sharing

FTC issues fine to GoodRx over information sharing

The Federal Trade Commission (“FTC”) has kicked off what may be a new wave of digital health compliance enforcement.  On February 1, 2023, the FTC announced its first enforcement action under the Health Breach Notification Rule. The Complaint, filed by the Department of Justice on behalf of the FTC, alleges that GoodRx shared “sensitive user information with third-party advertising companies and platforms . . . like Facebook, Google, and Criteo, and other third parties like Branch and Twilio.”  It further alleges that the information GoodRx shared with Facebook was used to provide targeted advertisements to GoodRx users on Facebook and Instagram.  The Complaint alleges that GoodRx, by sharing this information, violated Section Five of the FTC Act and the Health Breach Notification Rule.

The FTC publicly announced the action by filing the Complaint along with a proposed order for permanent injunctive relief. The order, if approved by the Court, prohibits GoodRx from sharing its users’ health data for advertising and requires payment of a $1.5 Million civil penalty.  The proposed order also notably includes a mandated privacy program and privacy assessment by a third party.     

The FTC’s enforcement action also is notable because, unlike in most incidents commonly considered security breaches, the defendant’s disclosure was voluntary and not the result of a malicious intrusion or inadvertence. The action could indicate that the FTC from now on intends scrutinize digital platforms that collect or share health information or other sensitive data, and in particular their data-sharing practices.

A private class action lawsuit has also been filed in the United States District Court for the Northern District of California based on the same allegations.[1] The Complaint alleges a nationwide class of “All natural persons in the United States who used the GoodRx Platform and whose communications and/or data were shared with third parties, including the Advertising and Analytics Defendants.”

[1]  Doe v. GoodRx Holdings, Inc., et. al, 3:23-cv-00501-LB (N.D. Cal.).