The FTC recently took enforcement action against GoodRx, resulting in a $1.5 million civil penalty settlement for failing to report its unauthorized disclosure of consumer health data to Facebook, Google, and other companies. For businesses that regularly share customer information with third parties or seek customer information to drive advertising, this enforcement action should be an eye opener.
This enforcement action dealt with a violation of the Health Breach Notification Rule (the first under this Rule). The complaint against GoodRx alleged that they shared personal health information with Facebook, Google, Criteo, and others; used personal health information to target its users with ads; failed to limit third-party use of personal health information; misrepresented its HIPAA compliance; and failed to implement policies to protect personal health information.
For an extensive article on the potential exposure for dealerships from targeted advertising click HERE for an article from Chris Cleveland of ComplyAuto.
For a complete reading of the GoodRx complaint click HERE.