FTC's "First-of-Its-Kind" $1.5 Million Civil Penalty for Breach of Unsecured Data by a Consumer Health App

This blog is the first of two blogs discussing the FTC’s enforcement of the Health Breach Notification Rule. The second blog is “FTC’s Second of Its Kind $7.8 Million Civil Penalty Settlement for Breach by a Covered Entity”. Use the forward and backward arrows on the bottom of the screen to navigate among the blogs.

Do you think that consumer health apps are exempt from the need to secure their customer’s data or the requirement to notify their customers when their personal health information has been disclosed to a third party without their customer's consent? Think again.

The FTC just filed a "First-of-Its-Find" $1.5 million civil penalty for the breach of unsecured data by a consumer health app. GoodRx Holdings, a commonly used patient app, allegedly beached data and failed to notify customers of a breach of their personal health information on 50 million customers. The FTC has reached a proposed settlement with GoodRx Holdings whereby GoodRx Holdings has agreed to pay a $1.5 million civil penalty as well as other restrictions for violating the Health Breach Notification Rule and The Federal Trade Commission Act (FTC Act) Section 5 Unfair or Deceptive Acts or Practices. GoodRx Holdings denies any wrongdoing. In order to go into effect, a Federal court must approve the order.

For the first time, the Federal Trade Commission (FTC) has exercised its enforcement rights under the Health Breach Notification Rule to impose a fine for failing to notify customers and others of its unauthorized disclosure of their personal health information.

 
Regulatory Agencies

To understand what happened, let’s first review the regulations. There are two primary regulatory agencies that are charged with the investigation and prosecution of the unauthorized release of patient health information (known as a data breach), they are: 

1. Federal Trade Commission (FTC) - The FTC’s mission is to protect the public from deceptive or unfair business practices and from unfair methods of competition through law enforcement, advocacy, research, and education.

2. Office of Civil Rights (OCR) – The OCR is a U.S. Department of Health and Human Services law enforcement agency that ensures compliance with our nation’s civil rights, conscience, and religious freedom, and health information privacy and security laws by investigating complaints and conducting compliance reviews, requiring corrective and remedial action, promulgating policy and regulations, and providing technical assistance and public education for the American people. One of the laws that the OCR is charged with enforcing is the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (more about it in the second blog post entitled Second of Its Kind FTC Proposed Settlement for Breach by a Covered Entity).

One would naturally assume that the enforcement of a breach of health data would fall under the jurisdiction of the OCR under HIPAA. But this case was brought by the FTC.

FTC Policy Statement 

On September 15, 2021, the FTC issued a Policy Statement warning consumer health apps, connected devices, web apps, and APIs that they must comply with the FTC Health Breach Notification Rule to notify consumers when their data was shared with a third party without their consent. This Policy Statement stated that consumer health apps “can track everything from glucose levels to heart health, to fertility, to sleep, increasingly collect sensitive personal data from consumers. These apps have a responsibility to ensure they secure the data they collect, which includes preventing unauthorized access.” Further, “Companies that fail to comply could be subject to monetary penalties of up to $43,782 per violation per day.” These fines can add up to a lot of money.

The FTC Health Breach Notification Rule (16 CFR Part 318):

1. If a services provider to one of these entities has a breach, it must notify the entity, which in turn must notify its customers.
2. If the breach involved 500 or more people, then the vendor must notify the media. 

For those of you who are familiar with HIPAA, these rules might sound really familiar and that is because these are the same rules that HIPAA has, but I want to point out this case was not HIPAA. This was brought by the FTC under their breach notification rule.

The Federal Trade Commission Act (FTC Act) Section 5 Unfair or Deceptive Acts or Practices

Further, this case also involved The Federal Trade Commission Act (FTC Act) Section 5 Unfair or Deceptive Acts or Practices which prohibits “unfair or deceptive acts or practices in or affective commerce.”

“Deceptive” practices are defined as involving a material representation, omission, or practice that is likely to mislead a consumer acting reasonably see 15 U.S.C. Sec 45(a)(4)(A).

“Unfair” a practice is unfair if it “causes or is likely to cause substantial injury to the consumer which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. Sec 45(n). This law is often referred to as the truth-in-advertising standard which by law claims that you make in advertising must be truthful, cannot be deceptive or unfair, and must be evidence-based.

GoodRx Holdings Allegations

For at least six years, since 2017, GoodRx Holdings, Inc. doing business as:

1. GoodRx
2. GoodRx Gold
3. GoodRx Care
4. Hey Doctor
5. Hey Doctor by Good Rx

allegedly disclosed and/or sold “sensitive personal health information (PHI)” to third parties for marketing and advertising purposes including:

1. Meta Facebook
2. Google
3. Criteo
4. Instagram
5. Other tracking, marketing, and advertising vendors

 GoodRx allegedly:

GoodRx deceptively promised its users it would never sell their personal health information – including its user's prescription medications and personal conditions.

1. GoodRx misrepresented its HIPAA compliance by displaying a seal at the bottom of its telehealth application suggesting it complied with HIPAA.
2. GoodRx violated its promises not to share data and, in fact, did share its customer's personal health information with Facebook and Instagram and allowed third parties to use PHI for their own purposes, including internal research, product development, and targeted advertising. For example, in August 2019 GoodRx compiled lists of its users who had purchased particular medications and uploaded their email addresses, phone numbers, and mobile IDs to Facebook so it could identify their profiles.
3. GoodRx failed to limit third-party use of personal health information and falsely claimed that it complied with Digital Advertising Alliance principles which require consent prior to using personal health information.
4. GoodRx failed to obtain their consumer's authorization for the acquisition of data.
5. GoodRx failed to obtain the consumers’ consent to sell their data for marketing and advertising purposes.
6. GoodRx failed to secure data using technology or methodology in compliance with the American Reinvestment and Recovery Act of 2009.
7. GoodRx failed to notify customers of a breach of their personal health information related to the use of website tracking, marketing, and advertising technologies.
8. GoodRx failed to have written policies and procedures on how it was protecting the privacy of personal health information. 

Why the Enforcement Agency is the FTC, not the OCR

The FTC is a consumer protection agency that does not have jurisdiction to enforce HIPAA. That jurisdiction falls under the OCR. However, the FTC does have the right to enforce the Health Breach Notification Rule and FTC Act Section 5 Unfair or Deceptive Acts or Practices.  GoodRx allegedly failed to notify patients of the breach of their personal health information violating the Health Breach Notification Rule. Further, GoodRx falsely “displayed a seal at the bottom of its telehealth services homepage suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA)” violating The Federal Trade Commission Act Section 5 that protects the interest of all consumers to prevent deceptive and unfair acts or practices to mislead consumers.

The Proposed Settlement Order 

1. GoodRx agreed to pay a $1.5 million settlement payment; however, denied any wrongdoing.
2. GoodRx is permanently prohibited from disclosing personal health information to third parties for advertising.
3. GoodRx must obtain consumers’ affirmative express consent, without manipulation before disclosing personal health information to applicable third parties for certain purposes and provide conspicuous details to users about such disclosures.
4. GoodRx is prohibited from making misrepresentations in advertising.
5. GoodRx, following the discovery of Breach of Security of Unsecured PHI, shall:
   1. Notify each citizen or resident of authorized Beach of Security.
   2. Notify the FTC.
   3. Notify prominent media outlets in the state or jurisdiction where more than 500 residents of such state or jurisdiction were reasonably believed to have data breached.
6. GoodRx is to direct third parties to delete the healthcare entities' PHI and inform consumers of breaches and the FTC’s enforcement action against the healthcare entity.
7. GoodRx is to limit the retention of PHI pursuant to a publicly posted data retention schedule.
8. GoodRx is mandated to create a “comprehensive privacy program that includes strong safeguards to protect consumer data”.
9. GoodRx is required to have a Privacy Assessment by a third party the first year and every two years for the next twenty years.

Statement by the Directory of FTC's Bureau of Consumer Protection 

Samuel Levine, Director of the FTC's Bureau of Consumer Protection stated that "Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information," and that "The FTC is serving notice that it will use all of its legal authority to protect American consumers' sensitive data from misuse and illegal exploitation."

Sign up today and start securely sharing medical records now.  Call us today at 816.249.2555 or email us at info@isharemedical.com.

Disclaimer: iShare Medical is a health information technology company. The information provided in this blog does not and is not intended to, constitute legal or medical advice. Should you need legal or medical advice, please contact a qualified legal or medical licensed professional.