The Federal Trade Commission has for the first time enforced its almost 14-year-old health data breach notification rule: The commission on Wednesday smacked GoodRx, a telehealth and discount prescription drug provider, with a $1.5 million civil penalty for failing to disclose to consumers that it shared their data with advertisers, including Facebook and Google.
The FTC says GoodRx for years shared sensitive personal health information with third-party companies’ contrary to its privacy promises and also failed to report the unauthorized disclosures as required by the FTC’s Health Breach Notification Rule. The agency enlisted the Department of Justice to file a complaint and a proposed order in the U.S. District Court for the Northern District of California. The order is subject to approval by a federal judge.
The FTC in 2021 expanded its interpretation of the breach notification rule to include incidents of unauthorized access, not just data breaches that were the result of cybersecurity incidents. It also said personal health records covered by the notification rule include apps capable of drawing information from multiple sources.
“The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection.