The Federal Trade Commission’s enforcement action against digital health company GoodRx this month is likely to be the first of many against companies trafficking in user’s sensitive medical data, according to compliance experts.
The FTC’s complaint against GoodRx, which accuses the company of sharing consumer’s health data with advertisers, is the first of its kind to lean on an enforcement mechanism called the Health Breach Notification Rule, or the HBNR, that allows regulators to levy fines against bad actors.
But it’s unlikely to be the last as regulators look to dissuade other companies from similar practices.
“I think this is the first and not the last” use of the HBNR, said Phyllis Marcus, a partner at Hunton Andrews Kurth who worked at the FTC for almost two decades. “I have no doubt.”
Regulators say they’re putting the digital health market on watch with the crackdown on companies profiting from users’ sensitive health information, especially health apps uncovered by existing consumer protections.
Such apps, which track everything from diabetes to fertility to heart health to sleep, are increasingly collecting sensitive and personal data from consumers, but don’t fall under the purview of the HIPAA privacy law.
Although the extent of the threat from HBNR to digital health companies remains unclear, the order suggests that the FTC is willing to use every tool in its toolkit to tamp down on data sharing as medical care turns increasingly online, according to experts.
"I think this is the opening salvo and going to be a common case as health apps start to become more pervasive,” said Shawn Collins, a privacy and data security attorney at business law firm Stradling. “This is the FTC trying to signal all these apps and other startup companies that are collecting a lot of sensitive data that we have a mechanism for enforcing data privacy rules against you.”
The Health Breach Notification Rule
The government’s complaint against GoodRx accuses the California-based company, which offers prescription drug discounts, telehealth visits and other digital health services, of illegally sharing users’ information with advertisers like Google and Facebook.
As a result, GoodRx’s customers, who number in the millions, suffered substantial injury, the FTC’s complaint alleges.
The FTC’s order, filed with the Department of Justice on Feb. 1, would ban GoodRx from sharing user health data with third parties for advertising purposes. GoodRx has also agreed to pay a $1.5 million fine.
The order needs to be approved by a court to go into effect. Lawyers said approval is almost a certainty, given the FTC and GoodRx have already agreed on terms.
The FTC’s order has eight counts. The first seven counts are different iterations of the FTC’s general statutory authority around deceptive representations and unfair practices. The last count alleges that GoodRx violated the HBNR.
The HBNR, finalized in 2009, was originally intended to strongarm companies into notifying consumers if they had a data breach that affected more than 500 users’ information. However, the FTC issued an opinion in September 2021 suggesting they would begin reading “breach” as not just a nefarious intrusion, but any unauthorized sharing of data.
The policy statement also clarifies that health apps and fitness trackers are subject to the HBNR. Yet GoodRx said it disagrees with the assertion that its actions violated the rule.
“We do not agree with the FTC’s allegations and we admit no wrongdoing. Entering into the settlement allows us to avoid the time and expense of protracted litigation,” GoodRx said in response to the enforcement.
But according to the FTC’s complaint, the HBNR applies because GoodRx is a “vendor of personal health records” and maintains a record of identifiable health information. Stretching back to at least 2017 and through 2020, the company experienced security breaches of more than 500 consumers’ unsecured personal health information to third parties, the FTC alleged.
“They’re not focused on the word ‘breach.’ They’re focused on the definition of breach, which is basically a distribution of data without the consent or authorization of the person whose data it is,” said Chris Leach, a partner at law firm Mayer Brown and former FTC attorney who focuses on consumer issues like data privacy and false advertising.
“It is, I feel, a more capacious definition of breach than one would normally think ... but the agency is looking at the plain text of the rule,” said Leach, who previously worked at the FTC’s division of financial practices.
Enforcement authority allows regulators to fine
The FTC’s interpretation of the HBNR is a novel reading of the decade-old regulation, and one that has big ramifications for any company found in violation, lawyers said.
“Part of the reason why the FTC is looking to a rule like this, where it hadn’t in the past, probably has a lot to do with the FTC’s loss of monetary authority,” Leach said.
Prior to 2021, the FTC was able to obtain monetary penalties for roughly four decades through what Leach called a “creative reading” of its statutes, which allowed regulators to seek equitable monetary relief in federal court.
But two years ago, the Supreme Court ruled that the FTC’s interpretation of the statute was wrong, hamstringing the FTC’s enforcement authority by limiting the agency’s ability to levy financial penalties against bad actors.
Since then, the FTC has been trying to figure out how to enact fines on some cases, lawyers said. One strategy involves pivoting to rules that allow the agency to secure monetary penalties, even for first-time violations — like the HBNR.
“It’s not a surprise that the FTC sought to obtain monetary relief and looked to this rule as a way to do that,” Marcus said.
It could have been worse for GoodRx
It’s about time the FTC leaned on the HBNR, though it could have gone farther in prosecuting GoodRx, according to Mark Bowling, Vice President of Security Response Services at cybersecurity firm ExtraHop.
Bowling, who worked at the Federal Bureau of Investigations for almost two decades, said the order illustrates that GoodRx intentionally and methodically sold user data, and should have been fined more money and required to admit fault.
“I believe they should even be more aggressive in the future,” Bowling said.
Bowling isn’t alone in his criticism that GoodRx got off lightly.
“I would have supported a larger civil penalty,” FTC Commissioner Christine Wilson wrote in a concurring opinion on the FTC’s settlement. “Based on the economic literature, I am confident that a sizable percentage of consumers would have foregone the benefits of using GoodRx’s coupons and other services had they known about the company’s sieve-like data practices, an indicator that the company’s ill-gotten gains almost certainly constitute a large multiple of the $1.5 million civil penalty.”
The $1.5 million penalty agreed to by GoodRx could have been billions, according to lawyers.
Companies that fail to comply with the HBNR could be subject to monetary penalties of up to about $44,000 per violation per day. Multiply that amount by the millions of affected users, and that’s scary math for any companies found in violation, Marcus said — though the FTC does take other factors into account when determining fines, such as the culpability of the company, its ability to pay the amounts and repeat offenses.
“My expectation is that $1.5 million sets the floor and the next civil penalty will be larger,” Marcus said.
GoodRx also didn’t have to admit wrongdoing in the settlement — something that can be a sticking point for the FTC, lawyers said.
That, combined with the small fine amount, suggests that the FTC didn’t feel certain about its ability to enforce its interpretation of the HBNR in court, according to Collins. The ambiguity complicates whether this new threat of enforcement could change companies’ behavior in the digital health market. Absent of comprehensive data privacy legislation, much data sharing between companies remains legal, if controversial.
But organizations that trade in health data should pay attention, experts said. The enforcement, combined with other recent high-profile actions against digital health companies, hints at how the FTC plans to restrict the sharing of sensitive health data.
Even if the threat of fines is lower than in past years, it’s still best to avoid ending up in regulatory crosshairs, according to lawyers. As a result, companies dealing in health data should be aware of their obligations under the HBNR.
“Blazing the trail is difficult. But coming behind is easier,” Leach said. “Everybody’s sort of gone through the kinks figuring out what they think about this rule. And my guess is that it’s going to be a thing now moving forward.”