GoodRx, a telehealth provider and online platform selling discounted prescription drugs, will pay $1.5 million to settle a Federal Trade Commission complaint that it failed to disclose to consumers it was sharing health data with Facebook, Google, and other ad-targeting companies. The FTC alleged that since at least 2017 GoodRx shared the sensitive health information of millions of consumers — including users’ prescription medications and health conditions — with third-party advertising companies and platforms despite promising users it wouldn’t share such data. Affected users were subsequently targeted by advertisements based on personal health data that they believed remained confidential. The complaint is the first enforcement action the FTC has taken under its Health Breach notification rule, which requires certain entities not covered by HIPAA to notify customers and the FTC if there’s a breach of individually identifiable health information. The FTC voted in September 2021 to clarify that the rule applies to any unauthorized use of data, not just breaches. According to the FTC complaint, GoodRx also exploited sensitive customer information for its own advertising purposes, uploading user information to Facebook for advertising campaigns that targeted users based on specific medications and health conditions. In addition to the $1.5 million penalty, the proposed court order permanently prohibits GoodRx from sharing user health information with third parties for advertising, requires GoodRx to direct third parties to delete health data that was shared with them, and requires the company to limit its data retention and make publicly available details about the information it collects.
Threat actors can leverage stolen medical records to impersonate legitimate patients to commit various forms of fraud, including submitting fraudulent claims to health insurers without authorization. This could not only affect healthcare coverage, but also compromise safety if there is misinformation on file that is needed for medical treatment. Anyone who may have been a victim of a medical data breach should get confirmation from their provider to find out exactly what information was stolen. Change and strengthen any online logins and implement multi-factor authentication. Asking the insurance provider for copies of claims and carefully reviewing explanation of benefits notices can reveal if a patient’s identity has been used fraudulently. This might show if inaccurate health and medical information is present in the patient’s records. Lastly, financial and credit accounts should be monitored closely, because sometimes medical insurance information is used to commit other forms of financial fraud. Placing a credit freeze on file with the credit bureaus and notifying banks or other financial institutions is helpful to prevent fraud when identity theft is suspected.