{"id":6615,"date":"2023-02-13T18:31:00","date_gmt":"2023-02-13T18:31:00","guid":{"rendered":"https:\/\/www.dinsmore.com\/?post_type=publications&p=6615"},"modified":"2025-11-24T20:36:52","modified_gmt":"2025-11-24T20:36:52","slug":"the-ftc-announces-first-health-breach-notification-rule-enforcement-action","status":"publish","type":"publications","link":"https:\/\/www.dinsmore.com\/publications\/the-ftc-announces-first-health-breach-notification-rule-enforcement-action\/","title":{"rendered":"The FTC Announces First Health Breach Notification Rule Enforcement Action"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

On February 1, the Federal Trade Commission (\u201cFTC\u201d) announced<\/a> enforcement action for the first time under its Health Breach Notification Rule[1]<\/a>. The complaint against telehealth and prescription drug discount provider GoodRx Holdings Inc. (\u201cGoodRx\u201d), alleges its failure to notify consumers and others of its unauthorized disclosures of consumers\u2019 personal health information to Facebook, Google and other companies.<\/p>\n\n\n\n

In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect. The Health Breach Notification Rule requires vendors of personal health records and related entities, which are not covered by the Health Insurance Portability and Accountability Act (HIPAA), to notify consumers and the FTC of unauthorized disclosures. In a September 2021 policy statement<\/a>, the FTC warned health apps and connected devices that they must comply with the rule.<\/p>\n\n\n\n

According to the FTC\u2019s complaint<\/a>, for years GoodRx violated the FTC Act by sharing sensitive personal health information with advertising companies and platforms\u2014contrary to its privacy promises\u2014and failed to report these unauthorized disclosures as required by the Health Breach Notification Rule.  Specifically, the FTC claims GoodRx shared personal health information with Facebook, Google, Criteo and others. According to the FTC, since at least 2017, GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third parties. GoodRx repeatedly violated this promise by sharing sensitive personal health information\u2014such as including its users\u2019 prescription medications and personal health conditions. <\/p>\n\n\n\n

The FTC also alleges GoodRx monetized its users\u2019 personal health information, and used data it shared with Facebook to target GoodRx\u2019s own users with personalized health and medication-specific advertisements on Facebook and Instagram. <\/p>\n\n\n\n

The FTC further alleges that GoodRx:<\/p>\n\n\n\n