The Federal Trade Commission broke new regulatory ground with a $1.5 million civil penalty against telehealth company GoodRx Holdings for sharing personal health information with Google, Facebook, and other third parties for advertising purposes.
"Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” Samuel Levine, head of the FTC’s Bureau of Consumer Protection, said in a statement.
He added that going forward the FTC will use "all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
The penalty is the first under a 2009 law called the Health Breach Notification Rule, which extends privacy rules to companies not covered by the Health Insurance Portability and Accountability Act (HIPAA).
The legal action comes three years after Consumer Reports first revealed that GoodRx was sharing personal health information.
"People told us they’d never expected that their sensitive information was being shared with the likes of Google and Facebook," Marta Tellado, president and CEO of Consumer Reports, said in a statement “The privacy of our health information shouldn’t be treated like an option – it’s a right. We’re pleased to see the FTC stepping up like this."
Tellado and other consumer rights advocates noted that the penalty could set a strong precedent for other enforcement actions against companies' data-sharing practices.