As per the Federal Trade Commission’s Health Breach Notification Rule, vendors of personal health information and similar entities need to notify consumers in case of a breach of unsecured personal data. The rule was approved in 2009, however, compliance was not fully enforced. Recently, the FTC penalized GoodRx Holdings Inc for its noncompliance with the Health Breach Notification Rule. The prescription drug company, GoodRx Holdings Inc, is to pay $1.5 million as a financial penalty.
In September 2021, the FTC released a policy statement stating its intent to begin actively implementing the Health Breach Notification Rule with an emphasis on health applications. HIPAA typically does not cover health apps and so data breaches are not governed by the requirements of the HIPAA Breach Notification Regulation.
The following guidance documents were published in January 2022:
- Health Breach Notification Rule: The Basics for Business
- Complying with FTC’s Health Breach Notification Rul
The two documents clearly discussed the following:
- which entities are governed by the Health Breach Notification Rule
- what events necessitate the notification of consumers
- how to issue notifications
The first financial penalty was enforced more or less a year after the guidance was approved for the failure to inform consumers regarding unauthorized personal health information (PHI) disclosures to Facebook, Criteo, Google, and others for marketing use.
Telemedicine platform provider, GoodRx is based in Santa Monica, CA. It allows consumers to freely use its website and mobile app to monitor prescription drug costs and get coupons to avail of discounts on medicines. Consumers can also book telehealth consultations and access other healthcare services using the platform. When using the services, consumers give GoodRx their personal and health data. Their data is also collected from pharmacy benefit managers whenever users shop utilizing GoodRx coupons. Over 55 million consumers have already utilized the GoodRx website and mobile application since January 2017.
GoodRx Multiple Privacy Violations and Deceitful Businesses Tactics
GoodRx advised users of its webpage and mobile application that it will never share their personal health information (PHI) with advertising companies or other entities; nonetheless, the FTC confirmed that from 2017 GoodRx consistently violated that policy and disclosed PHI with third parties like Google, Facebook, Criteo, Twilio, Branch, etc for marketing purposes. Details about users’ medical conditions and their prescribed drugs were disclosed.
The PHI of users was monetized and the information disclosed to Facebook was utilized to send targeted ads to its own users on Meta platforms like Instagram and Facebook. The FTC reported one particular instance from 2019 where GoodRx put together listings of users that bought specific medicines for blood pressure and heart disease, then shared their email, telephone numbers, and advertising IDs to FB to enable the identification of those users to send them targeted health-linked ads.
GoodRx likewise allowed third parties like Facebook to utilize the shared information for their own business. It is making false claims of compliance with Digital Advertising Alliance principles because it doesn’t get consent from users prior to using their health data for marketing reasons. GoodRx additionally displayed a seal of HIPAA compliance on its telehealth services webpage when it is not in compliance with the HIPAA Regulations. The provider also did not follow appropriate policies and procedures to secure the personal and medical data of its users, and simply used formal, written, privacy, and data-sharing guidelines when a consumer watchdog exposed its data practices in February 2020.
The FTC stated that GoodRx violated the Health Breach Notification Rule for not alerting consumers about the impermissible disclosures of their PHI, not to mention the seriousness of those violations called for a financial penalty. The federal court is about to approve the proposed penalty. Besides the financial penalty, GoodRx is
- forbidden from sharing the medical records of its users for marketing purposes
- instructed to get users’ consent before sharing any data and should direct the third parties to delete health information shared with them
- required to carry out an extensive privacy program.
Cedars-Sinai Medical Center Faces Lawsuit for Privacy Violations by Using Website Tracking Technology
Cedars-Sinai Medical Center has a lawsuit filed against it for allegedly impermissibly disclosing patient information to Meta, Google, and other third parties as a result of using website tracking technologies without entering into a business associate agreement (BAA) with the code vendors or getting patient authorization. In 2022, there was an investigation conducted on the use of website tracking technologies. The results showed nearly 33% of the United States’ top 100 hospitals added pixels or another tracking code on their web pages, enabling the code providers to collect and transmit sensitive information The Cedars-Sinai lawsuit is just one of the many filed cases against healthcare companies and other health-associated firms last year because of tracking technologies used on websites and mobile applications without getting user permission.
The extensive usage of tracking technologies led the HHS’ Office for Civil Rights to publish guidance last December 2022 about using such technologies. The guidance affirmed the capability of any tracking technologies to access data secured by HIPAA using a valid, HIPAA-compliant BAA acquired from the code provider or when patient consent to share HIPAA-covered information is obtained.
On December 30, 2022, the Cedars-Sinai Medical Center case was filed in the California state court. However, it was transferred to the U.S. District Court for Central California in Los Angeles last February 3, 2023. The John Doe v. Cedars-Sinai Health System and Cedars-Sinai Medical Center lawsuit claim privacy violation, intrusion upon seclusion, breach of implied contract, negligence, breach of contract, and breach of the California Invasion of Privacy Act, the California Confidentiality of Medical Information Act, and California Unfair Competition Law.
The lawsuit states the sensitive personal data and medical data of the plaintiff and other patients of Cedars-Sinai were impermissibly shared with Meta, Google, and Microsoft Bing because of the tracking code put on its web page. The lawsuit says that Cedars-Sinai asks patients to check out its website to study medical signs and health conditions, find physicians that can handle particular health issues, and book appointments on the internet. This calls for patients to share their signs or symptoms and send highly sensitive medical data. This the plaintiff did because he thought that privacy was certain.
The tracking technologies put on the website documented individually identifiable information according to user activities and sent that data to firms, such as Microsoft Bing, Meta/Facebook, Google, and social media sites or companies. Based on the lawsuit, this tracking code is like real-time wiretaps on patients’ devices. It enabled marketing firms to use patient data without consent and send them ads related to their medical conditions. The patients were neither advised regarding those uses nor disclosures.
The plaintiff is someone that uses Facebook with the ‘Keep Me Logged In’ function activated. He observed a rise in health-related ads since going to the Cedars-Sinai website for additional data on his ailment. A few of the ads were particularly connected to the health condition he looked at the website of Cedars-Sinai.
The focus of the lawsuit is Cedars-Sinai, and not the pixels or code providers. The terms and conditions of the code providers specifically mention that using the code with health information is not allowed. As an example, HIPAA-regulated entities and their business associates cannot use the Google Analytics code on their websites that involve PHI. The lawsuit states that adding the tracking code violates patients’ privacy and additionally comprises a HIPAA Rules violation. The lawsuit seeks class-action status, a jury trial, punitive damages, compensation, as well as injunctive relief.