Original Image Source.

by Brian Shilhavy
Editor, Health Impact News

The U.S. Department of Justice (DOJ) announced yesterday that together with the Federal Trade Commission (FTC) they had reached a settlement with GoodRx Holdings Inc., which markets an online prescription drug app, GoodRx.

They settled for $1.5 million after they filed a complaint earlier this month alleging that GoodRx had disclosed millions of users’ personal health information to third parties without the users’ authorization, consent, or knowledge.

The Department of Justice, together with the Federal Trade Commission (FTC), announced today that the government has resolved allegations that GoodRx Holdings Inc., doing business as GoodRx Gold, GoodRx Care, and Hey Doctor (GoodRx), violated the FTC Act and the FTC’s Health Breach Notification Rule. Pursuant to a settlement by the parties, a consent order was entered last Friday by the U.S. District Court for the Northern District of California.

The government’s complaint, filed on Feb. 1, alleges that by disclosing millions of users’ personal health information to third parties without the users’ authorization, consent, or knowledge, GoodRx violated the FTC Act’s prohibition on unfair and deceptive trade practices and the FTC’s Health Breach Notification Rule.

The users’ information that was disclosed included personally identifying information, as well as details about medications and sensitive health conditions.

GoodRx shared this personal health information despite its repeated assurances that the company would protect users’ privacy.

For example, GoodRx’s public policies stated that the company would not provide to third parties any information that revealed a personal health condition or personal health information.

The company’s advertising also featured a seal stating that it was “HIPAA Secure: Patient Data Protected,” even though it is not a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and it never complied with HIPAA requirements.

Moreover, GoodRx did not comply with the Health Breach Notification Rule’s requirement to notify users that it had disclosed their health information to third parties without their consent. (Full Press Release here.)

GoodRx claims it did nothing wrong and that it only settled to “avoid the time and expense of protracted litigation.”

Filed by the Department of Justice on behalf of the FTC, the proposed order will prohibit GoodRx from sharing user health data with applicable third parties.

The telehealth and prescription drug discount provider agreed to pay a $1.5 million civil penalty. A blog post on the GoodRx website stated that the company admits no wrongdoing but agreed to settle in order to “avoid the time and expense of protracted litigation.”

“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a press release.

“The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”

According to the complaint (PDF) filed by the FTC, GoodRx violated the FTC Act and acted against its own privacy promises by sharing sensitive personal health information with advertising entities.

The FTC alleges that these practices took place for years and were not reported to the federal government as is required by the Health Breach Notification Rule.

The filing states that since 2017, the California-based company promised its users that it would never share personal health information with advertisers or other third parties.

Facebook, Google and Criteo are some of the third parties listed as alleged recipients of users’ prescription medications and personal health conditions, personal contact information and unique advertising and persistent identifiers. (Full article.)

The $1.5 million penalty agreed to by GoodRx could have been billions, according to lawyers

Rebecca Pifer, writing for HealthCareDive.com, states that this is the first time the FTC has taken action against Big Tech by using the Health Breach Notification Rule which was passed in 2010, and signifies the U.S. Government’s intent to start going after more online digital health companies who sell users’ personal health information without their consent.

The Federal Trade Commission’s enforcement action against digital health company GoodRx this month is likely to be the first of many against companies trafficking in user’s sensitive medical data, according to compliance experts.

The FTC’s complaint against GoodRx, which accuses the company of sharing consumer’s health data with advertisers, is the first of its kind to lean on an enforcement mechanism called the Health Breach Notification Rule, or the HBNR, that allows regulators to levy fines against bad actors.

But it’s unlikely to be the last as regulators look to dissuade other companies from similar practices.

“I think this is the first and not the last” use of the HBNR, said Phyllis Marcus, a partner at Hunton Andrews Kurth who worked at the FTC for almost two decades. “I have no doubt.”

Regulators say they’re putting the digital health market on watch with the crackdown on companies profiting from users’ sensitive health information, especially health apps uncovered by existing consumer protections.

Such apps, which track everything from diabetes to fertility to heart health to sleep, are increasingly collecting sensitive and personal data from consumers, but don’t fall under the purview of the HIPAA privacy law.

“I think this is the opening salvo and going to be a common case as health apps start to become more pervasive,” said Shawn Collins, a privacy and data security attorney at business law firm Stradling. “This is the FTC trying to signal all these apps and other startup companies that are collecting a lot of sensitive data that we have a mechanism for enforcing data privacy rules against you.”

It’s about time the FTC leaned on the HBNR, though it could have gone farther in prosecuting GoodRx, according to Mark Bowling, Vice President of Security Response Services at cybersecurity firm ExtraHop.

Bowling, who worked at the Federal Bureau of Investigations for almost two decades, said the order illustrates that GoodRx intentionally and methodically sold user data, and should have been fined more money and required to admit fault.

“I believe they should even be more aggressive in the future,” Bowling said.

Bowling isn’t alone in his criticism that GoodRx got off lightly.

“I would have supported a larger civil penalty,” FTC Commissioner Christine Wilson wrote in a concurring opinion on the FTC’s settlement. “Based on the economic literature, I am confident that a sizable percentage of consumers would have foregone the benefits of using GoodRx’s coupons and other services had they known about the company’s sieve-like data practices, an indicator that the company’s ill-gotten gains almost certainly constitute a large multiple of the $1.5 million civil penalty.”

The $1.5 million penalty agreed to by GoodRx could have been billions, according to lawyers.

Companies that fail to comply with the HBNR could be subject to monetary penalties of up to about $44,000 per violation per day. Multiply that amount by the millions of affected users, and that’s scary math for any companies found in violation, Marcus said — though the FTC does take other factors into account when determining fines, such as the culpability of the company, its ability to pay the amounts and repeat offenses.

“My expectation is that $1.5 million sets the floor and the next civil penalty will be larger,” Marcus said. (Full article.)

“Data” is the New “Gold Rush” – Let the Data Wars Begin

“Data” is the coveted source of wealth and control sought for today, and “health data” is seen as one of the most lucrative fields to gather data on the public.

Data is what is needed to train “artificial intelligence” (AI), and Big Tech sees digital data as the “key to life,” with “dataism” emerging as a new religion. See:

“Dataism” is the New Religion of AI and Transhumanism: Those Who Own and Control the Data Control Life

I am glad to see this new effort to reign in private medical data being sold to the highest bidder, but I have learned to take a skeptical view of anything the U.S. government does, and that includes the FTC.

For decades now the FTC has protected the pharmaceutical industry by going after alternative health practitioners and their natural products, as they did when COVID started in 2020, by going after doctors who were reporting 100% success in treating the symptoms of COVID with natural products such as high-dose Vitamin C.

It was announced yesterday that the FTC was going to allow Amazon.com’s multibillion-dollar purchase of One Medical, an online membership-based primary care provider with 188 medical clinics in 29 markets and 815,000 members.

Amazon officially becomes a health care provider after closing purchase of One Medical

Amazon’s months-long effort to acquire One Medical is finished — for now, at least. The company has officially completed its $3.9 billion purchase, giving it a primary healthcare provider with in-person and virtual treatment as well as lab tests. The successful buyout isn’t leading to any immediate changes in One Medical’s services beyond a temporary $55 discount on a one-year membership (now $144), but Amazon said last July that it planned a “reinvention” of healthcare with the takeover.

The completion comes just a day after the Federal Trade Commission said it wouldn’t contest the buyout. However, the regulator also says it’s still investigating the deal to explore potential anti-competitive effects and privacy concerns raised by Amazon’s access to health data. (Full article.)

Big Tech increasingly wants to take over society and is encroaching more and more into the pharmaceutical and medical industries.

So it is entirely possible that these regulatory actions are simply “turf wars,” leveraging the government to pick and choose the winners and losers in the new race for digital health data.

As I reported last week, even Big Food is entering the data gold rush, rolling out apps that track everything you purchase including food, drugs, vaccines and online telemedicine. See:

No Vaccine No Food? Grocery Industry Merging with Big Tech and Big Pharma as New App Tracks Drug and Vaccine Purchases Along with Food

If you don’t want every aspect of your life digitized and tracked, the solution is simple. Get “disconnected” as much as possible, and do not use their apps.

“Disconnected” is going to become the new buzzword that defines liberty and privacy, as Big Tech seeks to track every aspect of your life.

Learn what life is like without carrying a cell phone everywhere, giving the Globalists a camera and microphone to record everything you do all day long.

Even your car is watching and tracking you, which is why I began driving an older model vehicle last year that is not connected to the Internet.

Six parts of your car that gather data on you

See Also:

Understand the Times We are Currently Living Through

Exposing the Christian Zionism Cult

Jesus Would be Labeled as “Antisemitic” Today Because He Attacked the Jews and Warned His Followers About Their Evil Ways

Insider Exposes Freemasonry as the World’s Oldest Secret Religion and the Luciferian Plans for The New World Order

Identifying the Luciferian Globalists Implementing the New World Order – Who are the “Jews”?

Who are the Children of Abraham?

The Brain Myth: Your Intellect and Thoughts Originate in Your Heart, Not Your Brain

Fact Check: “Christianity” and the Christian Religion is NOT Found in the Bible – The Person Jesus Christ Is

Young Man Living on the Streets Finds Jesus of the Bible – Overcomes Drug and “Terminally Online” Addictions

COVID “Vaccine” Injured Muslim Man Learns COVID was a Scam and Meets Jesus of the Bible as he Begins to Heal

Was the U.S. Constitution Written to Protect “We the People” or “We the Globalists”? Were the Founding Fathers Godly Men or Servants of Satan?