The FTC in early February ruled that GoodRx has violated patient privacy and HIPAA by sharing their data with third parties for advertising purposes. The FTC claims that GoodRx's practices violate their promises to users about how their data are used. The FTC also says this practice constitutes a data breach under HIPAA's breach reporting rule.
Why It Matters
The FTC is not just punishing GoodRx for false promises to consumers. It has also cited GoodRx for violating the HIPAA breach rule. Usually, a company's intentional disclosure of data to business partners (as opposed to data being taken from the company without its permission) is not considered a "breach" in the security sense. If purposeful disclosures are now deemed a "breach," companies covered by HIPAA have an even greater incentive to make sure their behavior is in line with what they promise consumers/patients.