He Slimed Me: FTC Hits GoodRx Over Unauthorized Use of Consumer Data

GoodRx is a digital health platform familiar to many, and a prime example of a single player that operates in several different realms of the evolving and growing digital health marketplace. Among its services are prescription drug discounts, telehealth visits, and other health services.

The Federal Trade Commission (FTC) and its partners at DOJ’s Consumer Protection Branch recently filed a civil complaint against GoodRx for data privacy breaches. The case includes a proposed order that may sharply narrow the company’s ability to traffic in consumer data, often a key part of any digital health company’s business model.

This case was the latest example of government regulators punishing a company that refused to live up to its promises of consumer data protection. It’s also the first enforcement action under the 14-year-old FTC Health Breach Notification Rule. That Rule requires data companies to notify consumers and regulators of unauthorized disclosures of consumers’ personal health information. Unauthorized disclosures can occur either through external hacks or, as we see here, as part of a digital health company’s own internal policies.

FTC and DOJ have for years developed cases under the legal theory that lax data privacy policies amount to unfair and deceptive acts and practices and thus are violations of the FTC Act. Companies holding sensitive data must act as both the Key Masters and the Gate Keepers. Here, the FTC and DOJ allege that GoodRx committed the same sin as many other tech firms before it: the company promised users that their data was safe and inviolate, but according to the complaint, it was not.

GoodRx is alleged to have shared ostensibly protected personal health information with other tech companies, used the data for ad targeting, allowed third-party use of the data, used a HIPAA seal on its site that misrepresented its compliance status, and failed to put other policies in place to protect the data. That’s a good list of the kinds of things that most consumers really do not want their digital medical services provider to do with their sensitive personal information.

The proposed order that resolves the case may take away some of GoodRx’s tools of profitability. It permanently bans the company from trafficking-in patient data on several fronts. These measures include a prohibition on sharing health data for ads, requiring user consent to share data, and implementing a privacy program that a lot of its users probably thought it already had in place.

Perhaps these terms are severe to GoodRx, but the civil penalty was noticeably small compared to other FTC data privacy cases. GoodRx has an estimated market capitalization of over $2 billion dollars. The penalty of $1.5 million is, well, not a lot. Other notable data privacy cases that weren’t first of their kind or that did not include sensitive personal health information include, among many others, Facebook ($90m, $725m and $5b), YouTube ($170m), Capital One ($190m), and Twitter ($150m).

Through our FDA-focused lens, we see a possible roadmap as FDA’s Center for Devices and Radiological Health (CDRH) increases its resources, guidances, and enforcement emphases in the connected digital device space. It may be that cases like this one may affect future FDA data cases.

FDA is building its Digital Health Center of Excellence (DHCE). The catalogue of resources, guidances, and other regulatory materials for the DHCE is growing, as we have noted in prior blog posts. Cybersecurity for connected devices is of key importance to DCHE, as medical devices connected to apps and other portals to the internet offer hackers potential openings to exploit. And, like GoodRx, they may also offer device companies potential profitability through the sharing of valuable data. It’s not a huge leap to imagine a case where hackers get through a connected device’s cybersecurity shields. That kind of event probably triggers the Health Breach Notification Rule, and a civil action against the victim company for poor data privacy practices may not be far behind. And as we see with GoodRx, intentional sharing of data that is advertised as protected may trigger enforcement as well.

But the connected device space must also beware of FDA enforcement under the same scenarios of either voluntary or involuntary breach, and device makers can’t just try to empty their minds and wish for seemingly harmless outcomes that would be, in fact, terrifying. The new Section 3305 of FDORA adds a prohibited Act to Section 331 of the FDCA that relates to this. Failure to comply with new cybersecurity requirements is now a violation that applies to devices that include software, can connect to the internet, and may be vulnerable to cybersecurity threats. Device makers that do not monitor, update, and generally guard against post-market cybersecurity vulnerabilities seemingly face a dual threat of FTC and now, FDA enforcement action, all taken through DOJ.

FDA enforcement might take any number of forms, from a simple inspection, to Form 483, to Warning Letter, to consent decree. But whatever an FDA action might look like, we know that FTC, FDA, and DOJ will view a compromised device as a potentially unsafe device. In one form or another, exposure of consumer patient data may very well have significant regulatory consequences, where the agency streams may all cross to push violators back into a more compliant dimension.

See you on the other side.