GoodRx and True Health New Mexico to Resolve Data Privacy Violations and Lawsuits

GoodRx to Pay FTC $1.5 Million to Resolve Violations of the FTC Act and Health Breach Notification Rule

On behalf of the Federal Trade Commission (FTC), the Department of Justice filed a proposed order on February 1, 2023 forbidding GoodRx from giving the health data of its users to third parties for marketing uses. This order was filed after FTC’s investigation, which revealed that GoodRx, dba Hey Doctor (GoodRx) GoodRx Gold, and GoodRx Care, violated the FTC Act by undertaking unfair and deceitful trade practices. GoodRx allegedly shared the information of a lot of users without their permission and awareness and broke the FTC Health Breach Notification Regulation by not notifying users regarding the privacy breach.

The data disclosed to third parties involved personally identifying information, data regarding sensitive health problems, and prescription drugs. The FTC claimed that GoodRx shared the data in spite of repeatedly guaranteeing its users that the organization would protect sensitive health data and wouldn’t share it with third parties. The FTC additionally questions the “HIPAA Secure: Patient Data Protected” seal that GoodRx displays on its website. The seal appears to certify that GoodRx was a HIPAA-covered entity that complies with the HIPAA Rules when it really wasn’t.

Principal Deputy Assistant Attorney General Brian M. Boynton of the Justice Department’s Civil Division states that consumers should know if and how their personal health information (PHI) will be utilized, and when it was shared with third parties. The Department is determined to enforce protections against deceitful practices and illegal disclosure of PHI.

The information was disclosed to third parties through third-party tracking codes on its web page and plug-and-play software programs made available by businesses like Facebook, Google, Criteo, Twilio, and Branch. The information obtained using those programs was sent to the software kits and pixels providers and was most likely utilized for marketing purposes. GoodRx didn’t accept the conclusions of the FTC and did not admit any wrongdoing. Then, it made the decision to resolve the allegations to avoid the time and cost that comes with protracted litigation.

Based on the agreed settlement by all parties, GoodRx will pay $1.5 million as financial penalty and undertake a corrective action plan that will stop unauthorized disclosures of sensitive health information and make sure to comply with the Health Breach Notification Rule and the FTC Act. GoodRx has additionally agreed not to share the sensitive health information of its users without first of all acquiring consent for this and will inform all impacted persons regarding the disclosures. The court lately okayed the proposed order and the agreed settlement will now be in effect.

Companies that improperly use the sensitive health data of their customers by disclosing that data without the consent or knowledge of their customers will be made accountable. The FTC will continue to work together with its partners to safeguard against the unauthorized sharing of such sensitive, personal data.

True Health New Mexico’s Offer to Settle its Class Action Data Breach Lawsuit

The health insurance company, True Health New Mexico based in Albuquerque, NM, has offered a settlement deal to take care of claims associated with a 2021 data breach that impacted 62,983 health plan members.

True Health New Mexico discovered a security incident on October 5, 2021. It was confirmed by an investigation that an unauthorized third party acquired access to its system and encrypted files after deploying ransomware. While having access, the attacker potentially viewed and stole files that had plan member information like names, physical addresses, email addresses, birth dates, ages, insurance details, medical data, Social Security numbers, provider data, date(s) of service, and health account member IDs. There was no proof of plan member data misuse found during the time of sending breach notification letters; nevertheless, as a safety measure against identity theft and fraud, True Health New Mexico offered free credit monitoring and identity theft protection services to impacted persons.

A number of lawsuits were filed right after sending notifications alleging that the health plan company failed to take proper action to safeguard sensitive client and employee information. The lawsuits furthermore alleged negligence per se, unjust enrichment, breach of privacy by intrusion, breach of implied contract, breach of express contract, breach of fiduciary duty, and New Mexico Unfair Practices Act violations.

The lawsuits wanted a refund of out-of-pocket costs, recovery of losses due to identity theft and fraud, and for True Health New Mexico to make sure the enhancement of security to stop more data breaches. True Health New Mexico offered the settlement to take care of claims associated with these cases without admitting wrongdoing. Individuals who got notifications regarding the data breach and had a part in three class action lawsuits may file claims. The three class action lawsuits are Clement, et al. v. True Health New Mexico Inc., McCullough, et al. v. True Health New Mexico Inc., and Shanks, et al. v. True Health New Mexico Inc., which are all submitted in the 2nd District Court of the State of New Mexico and consolidated into one class action lawsuit on March 21, 2022.

Based on the conditions of the offered settlement, claims as much as $5,250 per person will be accepted. As much as $250 may be claimed as a refund for ordinary expenditures associated with the data breach, for example, bank charges, credit monitoring expenses, and communication costs, and also as much as 5 hours of lost time valued at $20 an hour. Claims for recorded extraordinary losses of as much as $5,000 will also be accepted. Extraordinary losses include losses to identity theft and fraud that may be sensibly tracked to the data breach, along with around 3 hours of extra time valued at $20 an hour. The settlement additionally has provisions for attorneys’ service fees, awards of around $1,500 for named plaintiffs, and an extra 2 years of three-bureau credit monitoring services and identity theft insurance provided by Equifax starting on the date of the settlement.

True Health New Mexico has likewise taken steps to enhance security, such as having a written security policy, equipping the employees with cybersecurity training, enforcing a password policy, using multi-factor authentication, and having an endpoint detection and response solution; nevertheless, the settlement consists of a clause that permits the health plan company to get away from the obligation to strengthen security. In case True Health stops operations, True Health will not be obliged to carry on these equitable measures.

True Health New Mexico, which is a subsidiary of Bright Health, has already discontinued offering health plans to residents of New Mexico and will just offer coverage to current health plan members up to June 30, 2023, since Bright Health has made the decision to target markets that would give it the biggest advantage.

The last day for objecting or excluding oneself from the settlement deal is April 14, 2023. Submission of claims is until August 14, 2023. The schedule of final fairness hearing is on May 10, 2023.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at