Compliance » GoodRX Settlement Points To Possible Gaping Hole In Cyber Coverage

GoodRX Settlement Points To Possible Gaping Hole In Cyber Coverage

Vaguely psychedelic rendering of a trail of zeros and ones disappearing down a black hole.

The familiar breach scenario involves a bad-actor third party that steals information that it can monetize, or locks up a company’s computer systems pending a ransom payment, or both. But a recent settlement between a company known as GoodRx and the Department of Justice, on behalf of the Federal Trade Commission, points to another kind of breach scenario. It involves regulatory action and a breach wherein the alleged perp is the company itself, and according to a post from law firm Hunton, it constitutes a kind of sleeper potential liability that’s unlikely to be covered by many cyber policies. The allegation in the GoodRx case is that the company monetized protected customer information, in part by sharing it with third parties for advertising purposes.

The FTC take on the matter, as laid out in a press release, is that for years GoodRx, contrary to its privacy promises, violated the FTC Act by sharing sensitive personal health information with advertising companies and platforms, and that it failed to report these disclosures as required by the Health Breach Notification Rule. The proposed settlement includes a $1.5 million penalty, a permanent prohibition on any sharing of health data for advertising purposes and any sharing of data, period, without consent. It also requires the company to direct third parties to delete data that was previously shared and to inform consumers about both the breach and the enforcement action.

The FTC’s unprecedented use of the Health Breach Notification Rule in this case, says the Hunton post, “highlights the need for policyholders who gather personal information for consumer transactions, marketing purposes, or as part of their core business model to ensure that their risk management plan includes a cyber policy that covers regulatory investigations and actions such as the one initiated against GoodRx.”

Get our free daily newsletter

Subscribe for the latest news and business legal developments.

Read this next

Legal Ops Need to Assess Their Information Governance Programs

The AI Executive Order’s Impact on the Healthcare Industry

President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and […]

14 Proven Tactics to Elevate Your Law Firm's Webinars and Drive Results

Cybersecurity Agency Warns About Hacking Collective

The Cybersecurity and Infrastructure Security Agency and the FBI have issued a […]

Understanding Quantum Security Essential In Mitigating Risk Of Newest Cyber Threat

Data Privacy and Reputation Concerns About Adopting AI

Reputational damage was the greatest source of concern about AI, followed by […]

Scroll to Top