In a press release published today, the Federal Trade Commission (#FTC) announced that the Department of Justice has filed a complaint and proposed order on the FTC's behalf against GoodRx Holdings, Inc. for a first-of-its-kind enforcement action under the FTC's Health Breach Notification Rule.
The complaint alleges that GoodRx violated the FTC Act by sharing sensitive personal health information with third parties, including Facebook, Google, Criteo, and others, despite stating in privacy statements that GoodRx would never share personal health information with advertisers and other third parties. The complaint also alleges that GoodRx failed to report the unauthorized disclosures as required under the FTC's Health Breach Notification Rule.
Additionally, the FTC filed a proposed order that would prohibit GoodRx from sharing health data for ads, require user consent for any other sharing, require the company seek deletion of data shared with third parties, and limit the retention of data. The proposed order also attaches a $1.5 million penalty.
Octillo closely monitors regulatory developments involving health data and data breach response. If your organization has questions about the Health Breach Notification Rule or other regulations governing health data or breach notification, please reach out to a member of our team.
*Attorney Advertising: Prior results do not guarantee future outcomes.