Last month, the Federal Trade Commission (“FTC”) announced its first-ever enforcement action under the Health Breach Notification Rule (“HBNR” or “the Rule”). In a complaint filed in February, the agency alleged that GoodRx Holdings Inc., a prescription drug discount and telehealth provider, violated the HBNR by sharing users’ personal health information with third-party digital advertising providers without users’ consent. The FTC also alleged that GoodRx violated Section 5 of the Federal Trade Commission Act (“FTC Act”) by engaging in unfair and deceptive business practices related to its data-sharing. The company did not admit to any wrongdoing, but agreed to pay a $1.5 million civil penalty and take corrective action as part of a settlement entered on February 17, 2023.

The HBNR applies to vendors of personal health records and related entities (think: fitness trackers, health apps, and other online businesses that collect personal health data) that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”). The Rule requires covered entities to notify consumers, the FTC, and, in some cases, the media, about breaches of security of identifiable health information. Companies that fail to comply with the HBNR may face civil monetary penalties and other sanctions.

In January 2022, the FTC released guidance explaining that a breach under the rule “is not limited to cybersecurity intrusions.” Rather, “[i]ncidents of unauthorized access, including a company’s disclosure of covered information without a person’s authorization” can also trigger notification obligations under the Rule.

The government’s complaint alleged that GoodRx violated the HBNR by tracking and disclosing users’ personal health information to third parties, such as advertisers and social media companies, without consent. According to the FTC, GoodRx’s unauthorized data-sharing practices amounted to a “breach” that triggered notification requirements under the HBNR. The FTC also alleged that GoodRx violated the FTC Act’s prohibition on unfair and deceptive trade practices by engaging in data-sharing practices that were contrary to company’s own privacy policy and other assurances that it had made to its users.

In addition to the $1.5 million civil penalty, the company also is permanently barred from disclosing user information to advertisers, with limited exceptions, and will be required to obtain users’ affirmative consent before disclosing their health information for any purpose. Additionally, GoodRx must notify users about prior disclosures and direct third parties to delete the user information that it shared with them. The company also will be required to establish a comprehensive privacy program, adopt a public data retention schedule, and undertake periodic third-party compliance assessments.

The action against GoodRx is notable for several reasons. First, the action marks the first time that the FTC has enforced the HBNR since promulgating the Rule in 2009. Moreover, the action demonstrates the FTC’s commitment to enforcing the HBNR to penalize companies that share health information without consumers’ consent, as previewed in the guidance the agency issued last year. Companies that manage personal health information should be aware of the FTC’s increased scrutiny in this area and consider whether they are covered by the Rule.