GoodRx Holdings Inc.
Issued by Federal Trade Commission (FTC) on 2023-02-01
What happened
The FTC fined GoodRx $1.5 million in the agency's first-ever enforcement action under the Health Breach Notification Rule. GoodRx, a popular prescription drug discount platform, shared users' sensitive personal health information — including medications they searched for and purchased, health conditions, and personal contact information — with advertising companies including Facebook, Google, and Criteo without users' knowledge or authorization. Despite prominently featuring a 'HIPAA' badge on its website and app, GoodRx was not actually a HIPAA-covered entity. The company used tracking pixels and SDKs that transmitted health data to these advertising platforms, which then used the information to target users with health-related advertisements.
Articles violated
Lessons learned
Digital health apps that are not HIPAA-covered entities are still subject to FTC enforcement for health data misuse. Displaying a HIPAA badge without being HIPAA-covered is deceptive. The Health Breach Notification Rule applies to non-HIPAA entities handling health data. Companies must audit all tracking technologies (pixels, SDKs) to understand exactly what data is being shared with third parties. Health-adjacent businesses should assume that the FTC will enforce health data protections even outside HIPAA's scope.
Source
View original decisionDisclaimer: This summary is for informational purposes only and does not constitute legal advice. Refer to the original decision for complete details.
Get enforcement alerts for Healthcare
We track GDPR fines across Europe. Enter your email to get notified about new enforcement actions.