The Federal Trade Commission (FTC) recently reported the first-ever financial penalty for an FTC Health Breach Notification Rule violation. Allegedly, GoodRx failed to send notification letters to its clients who had their PHI shared with third parties including Facebook and Google through tracking codes added on its webpage and mobile application. GoodRx mentioned it made a decision to negotiate the case and pay a financial penalty worth $1.5 million to steer clear of having to spend more time and money on protracted litigation. It has also taken proactive steps to deal with the matter before the FTC investigation. The federal judge has not yet approved the proposed settlement.
In the last couple of months, a number of healthcare data breach reports involved impermissible sharing of protected health information (PHI) to third parties including Meta, Google and others as a result of using tracking codes on web pages and mobile applications. Several lawsuits were filed in association with those impermissible disclosures, including this case on the GoodRx data breach.
On February 2, 2023, one lawsuit had been filed in the U.S. District Court of the Northern District of California. It was filed a few days after the FTC’s announcement of the financial penalty. The defendants named in the lawsuit are GoodRx and the three companies mentioned in the FTC announcement – Google, Criteo, and Meta. The allegations are the same as those in the FTC complaint. The lawsuit disputes GoodRx’s promise to never share the personal and health data of its clients with advertising companies and other third parties and to just use clients’ personal health information to meet client’s requests, for example for giving coupons for prescription drugs. The lawsuit additionally disputes GoodRx’s claim that the company follows the Digital Advertising Alliance guidelines, which include not exposing health data for online behavioral marketing with no content, and for featuring a HIPAA seal on its website indicating its Health Insurance Portability and Accountability Act (HIPAA) compliance.
The plaintiff and those represented in the suit allege the disclosure of their personal and health data to third parties without their permission. They were told that such disclosures will not happen and that defendants Google, Criteo and Meta, knowingly and purposefully intercepted the plaintiff and class members’ personal data, which include health data associated with their health problems, symptoms, and prescription medications, conveyed through the GoodRx website. The lawsuit states GoodRx made money from customer information and utilized the data to send targeted ads in line with past prescription medications and website visits associated with birth control and erectile dysfunction drugs, that Google, Criteo and Meta earned money from the customer information sent by GoodRx, and that the disclosures are actually an extreme violation of the plaintiff’s and class members’ privacy.
The lawsuit’s allegations include common law invasion of privacy, unjust enrichment, intrusion upon seclusion, violations of the California Invasion of Privacy Act, violations of the California Confidentiality of Medical Information Act (CMIA), aiding and abetting CMIA violations, violations of the California Business and Professional Code, and violations of the California Consumers Legal Remedies Act. The lawsuit is seeking class action certification, an award of declaratory relief, statutory, actual, compensatory, punitive, consequential, and nominal damages, plus restitution and/or disgorgement of income illegally acquired.
GoodRx states it did no wrongdoing. Even before FTC reached out to GoodRx, the company already made updates in line with its commitment to safeguarding its users’ privacy. Although vendor technologies are used for advertising, it was done in compliance with all applicable rules and adheres to the common practice among numerous health, government, and consumer websites.
Google affirmed that it forbids personalized advertisements using sensitive information like health data and that it implements stringent guidelines concerning the types of data that may be shared.
Meta did not comment on the GoodRx case, but it issued statements regarding Meta Pixel-connected data breaches that occurred in HIPAA-controlled entities, confirming Meta’s prohibitions of such disclosures and has implemented systems that automatically delete the sensitive personal information to make sure not to send information to advertisers.
Criteo likewise did not comment on the case but provided a statement regarding the FTC allegations. It stated that Criteo’s data guidelines and privacy practices forbid many of the targeted marketing campaigns and programs mentioned in the FTC complaint versus GoodRx. In line with its policies and practices concerning its clients and in association with its digital marketing services with GoodRx, Criteo never got any personally identifiable information like name, email address, prescribed medication or health data.
Connexin Software Facing Another Lawsuit Because of the 2.2 Million-Record Data Breach
Connexin Software is facing another lawsuit that was filed in connection with a ransomware attack in August 2022. Over 2.2 million individuals were affected by the data breach. Connexin Software is also known as Office Practicum and provides electronic medical records and practice management software programs for pediatric clinics. On August 26, 2022, Connexin found out that hackers accessed its systems and encrypted files using ransomware.
The results of the forensic investigation showed that the threat actor responsible for the attack copied files that contain protected health information (PHI). The exposed PHI included patient names, names of parents and guardians, addresses, email addresses, birth dates, medical insurance data, health and/or treatment data, Social Security numbers, and billing and claims details. Connexin Software submitted the data breach report to the HHS’ Office for Civil Rights indicating that about 2,216,365 individuals were affected. The incident also affected 199 medical insurance companies and service providers.
On behalf of plaintiff Amiyah Green and likewise affected persons, the Green v. Connexin Software, Inc. lawsuit was filed in the U.S. District Court of the Eastern District of Pennsylvania. The lawsuit alleges that Connexin needs to follow safety measures to protect the privacy of PHI in compliance with HIPAA and avert unauthorized access. However, it failed to enforce reasonable and proper cybersecurity measures like encrypting data.
The lawsuit additionally claims a HIPAA Breach Notification Rule violation, which demands sending notifications to affected individuals within 60 days of discovering a data breach. Connexin Software discovered the breach on August 26, 2022, but sent notifications to affected persons only in November 2022. Therefore, the plaintiff and class members were not aware of the risk to their sensitive data and so did not do something to mitigate potential damages. The lawsuit likewise alleges that not enough data was included in the breach notifications, for instance, the means and nature of the breach, as well as other crucial details like Connexin’s plans to avoid similar incidents in the future.
Connexin provided the impacted persons with a membership to an identity theft protection service for 12 months. However, the lawsuit alleges that this is not enough, because the plaintiff and class members will need to pay for identity theft protection for additional years to protect their personal data and PHI against misuse. The lawsuit states the plaintiff and class members currently face a considerable threat potentially brought about by targeted phishing attacks, data breaches, and other unlawful strategies, will bear out-of-pocket costs keeping themselves secure against identity theft and fraud, and have or may go through actual injury due to the data breach.
The allegations mentioned in the lawsuit include unjust enrichment, negligence, negligence per se, and wants a jury trial, an award of proper financial relief – which includes actual damages, punitive damages, statutory damages, restitution, and disgorgement, and equitable, injunctive, and declaratory relief, which include the need for Connexin to follow and carry out data security guidelines to protect private data and to extend the identity theft and credit monitoring services.