Privacy Law
FTC Enforcement Action Against GoodRx and BetterHelp
By: Kewa Jiang
GoodRx and the First Enforcement Under the Health Breach Notification Rule
On February 1, 2023, the Department of Justice (DOJ) on behalf of the Federal Trade Commission (FTC) announced enforcement action against GoodRx Holdings, Inc., a digital discount prescription drugs provider and its telehealth subsidiary platform. In the filed proposed order, the DOJ alleges that GoodRx violated the FTCâs Section 5(a) unfair and deceptive acts and practices as well as the Health Breach Notification Rule (HBNR). DOJ alleges GoodRx disclosed customersâ sensitive health data to third-party advertising platforms, such as Facebook, Google, and Criteo. The disclosed health information included customersâ prescription medications, personal health conditions, personal contact information, and unique advertising and persistent identifiers. However, GoodRxâs privacy policy promised customers that it would limit the sharing of personal health information. The DOJ also contends the HIPAA seal displayed on GoodRxâs telehealth platform website misrepresented to customers the platform was a HIPAA covered entity.
GoodRxâs alleged violation of HBNR is significant because this is the first time enforcement action has been brought under this rule since it was enacted in 2009. HBNR is meant to regulate entities that handle health information and experience a data breach but the entities themselves fall outside the scope of HIPAA enforcement. The DOJ alleges GoodRx is considered a vendor of personal health records under HBNR because the company maintains electronic personal health records of individualsâ identifiable health information but is not a HIPAA covered entity. When GoodRx disclosed customersâ data to third party advertising platforms without customersâ knowledge or consent, the DOJ argues this was a data breach of âmore than 500 customersâ unsecured PHR identifiable health information.â
GoodRx settled with the FTC with a $1.5 million civil penalty fine without admitting any wrongdoing and must comply with ongoing data privacy practices. In response, GoodRx maintains they are committed to customersâ data privacy protection and the FTCâs enforcement action focused on old issues that the company already addressed.
BetterHelp and Disclosure of Mental Health Customersâ Data
In March 2023, the FTC filed a complaint against BetterHelp, a digital mental health service, alleging the company impermissibly shared customer data with third parties, such as Facebook and Criteo, and misrepresented that it was HIPAA compliant. Similar to the allegations against GoodRx, the FTC contends the company âfailed to employ reasonable measures to safeguard the health information it collected from consumersâ despite repeatedly promising in its privacy policy that customersâ health data will be protected and limited disclosure to third parties. BetterHelp also displayed a HIPAA complaint seal on its website, which FTC alleges misrepresented to customers that the website met HIPAA requirements when in fact no agencies reviewed its data privacy practices. The complaint details disclosed customers data included email addresses, IP addresses, enrollment in the platformâs services, and certain answers customers provided to the platformâs Intake Questionnaire. Third parties that received customersâ data, such as Criteo then re-targeted BetterHelp customers with advertisements.
BetterHelp entered into a consent decree with FTC on March 2, 203 and must pay $7.8 million, which will be partially used to refund customers who paid for services between August 1, 2017 to December 21, 2020. In response, BetterHelp states that using âlimited, encrypted informationâ to optimize their advertisement is a routine industry-standard practice. The company admits no wrongdoing and affirms its continued efforts to protect customersâ data privacy.