Privacy Law

FTC Enforcement Action Against GoodRx and BetterHelp

By: Kewa Jiang

GoodRx and the First Enforcement Under the Health Breach Notification Rule

On February 1, 2023, the Department of Justice (DOJ) on behalf of the Federal Trade Commission (FTC) announced enforcement action against GoodRx Holdings, Inc., a digital discount prescription drugs provider and its telehealth subsidiary platform. In the filed proposed order, the DOJ alleges that GoodRx violated the FTC’s Section 5(a) unfair and deceptive acts and practices as well as the Health Breach Notification Rule (HBNR). DOJ alleges GoodRx disclosed customers’ sensitive health data to third-party advertising platforms, such as Facebook, Google, and Criteo. The disclosed health information included customers’ prescription medications, personal health conditions, personal contact information, and unique advertising and persistent identifiers. However, GoodRx’s privacy policy promised customers that it would limit the sharing of personal health information. The DOJ also contends the HIPAA seal displayed on GoodRx’s telehealth platform website misrepresented to customers the platform was a HIPAA covered entity.

GoodRx’s alleged violation of HBNR is significant because this is the first time enforcement action has been brought under this rule since it was enacted in 2009. HBNR is meant to regulate entities that handle health information and experience a data breach but the entities themselves fall outside the scope of HIPAA enforcement. The DOJ alleges GoodRx is considered a vendor of personal health records under HBNR because the company maintains electronic personal health records of individuals’ identifiable health information but is not a HIPAA covered entity. When GoodRx disclosed customers’ data to third party advertising platforms without customers’ knowledge or consent, the DOJ argues this was a data breach of “more than 500 customers’ unsecured PHR identifiable health information.”

GoodRx settled with the FTC with a $1.5 million civil penalty fine without admitting any wrongdoing and must comply with ongoing data privacy practices. In response, GoodRx maintains they are committed to customers’ data privacy protection and the FTC’s enforcement action focused on old issues that the company already addressed.

BetterHelp and Disclosure of Mental Health Customers’ Data

In March 2023, the FTC filed a complaint against BetterHelp, a digital mental health service, alleging the company impermissibly shared customer data with third parties, such as Facebook and Criteo, and misrepresented that it was HIPAA compliant. Similar to the allegations against GoodRx, the FTC contends the company “failed to employ reasonable measures to safeguard the health information it collected from consumers” despite repeatedly promising in its privacy policy that customers’ health data will be protected and limited disclosure to third parties.   BetterHelp also displayed a HIPAA complaint seal on its website, which FTC alleges misrepresented to customers that the website met HIPAA requirements when in fact no agencies reviewed its data privacy practices. The complaint details disclosed customers data included email addresses, IP addresses, enrollment in the platform’s services, and certain answers customers provided to the platform’s Intake Questionnaire. Third parties that received customers’ data, such as Criteo then re-targeted BetterHelp customers with advertisements.

BetterHelp entered into a consent decree with FTC on March 2, 203 and must pay $7.8 million, which will be partially used to refund customers who paid for services between August 1, 2017 to December 21, 2020. In response, BetterHelp states that using “limited, encrypted information” to optimize their advertisement is a routine industry-standard practice. The company admits no wrongdoing and affirms its continued efforts to protect customers’ data privacy.


Forgot Password

Enter the email associated with you account. You will then receive a link in your inbox to reset your password.

Personal Information

Select Section(s)

CLA Membership is $99 and includes one section. Additional sections are $99 each.

Payment