The Department of Justice, together with the Federal Trade Commission (FTC), announced that the government has resolved allegations that GoodRx Holdings Inc., doing business as GoodRx Gold, GoodRx Care, and Hey Doctor (GoodRx), violated the FTC Act and the FTC’s Health Breach Notification Rule. Pursuant to a settlement by the parties, a consent order was entered by the US District Court for the Northern District of California. The government’s complaint, filed on Feb. 1, alleges that by disclosing millions of users’ personal health information to third parties without the users’ authorization, consent, or knowledge, GoodRx violated the FTC Act’s prohibition on unfair and deceptive trade practices and the FTC’s Health Breach Notification Rule. The users’ information that was disclosed included personally identifying information, as well as details about medications and sensitive health conditions.
GoodRx shared this personal health information despite its repeated assurances that the company would protect users’ privacy. For example, GoodRx’s public policies stated that the company would not provide to third parties any information that revealed a personal health condition or personal health information. The company’s advertising also featured a seal stating that it was “HIPAA Secure: Patient Data Protected,” even though it is not a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and it never complied with HIPAA requirements. Moreover, GoodRx did not comply with the Health Breach Notification Rule’s requirement to notify users that it had disclosed their health information to third parties without their consent.