GoodRX Settlement Points To Possible Gaping Hole In Cyber Coverage

The familiar breach scenario involves a bad-actor third party that steals information that it can monetize, or locks up a company’s computer systems pending a ransom payment, or both. But a recent settlement between a company known as GoodRx and the Department of Justice, on behalf of the Federal Trade Commission, points to another kind of breach scenario. It involves regulatory action and a breach wherein the alleged perp is the company itself, and according to a post from law firm Hunton it constitutes a kind of sleeper potential liability that’s unlikely to be covered by many cyber policies. The allegation in the GoodRx case is that the company monetized protected customer information, in part by sharing it with third parties for advertising purposes.

The FTC take on the matter, as laid out in a press release, is that for years GoodRx, contrary to its privacy promises, violated the FTC Act by sharing sensitive personal health information with advertising companies and platforms, and that it failed to report these disclosures as required by the Health Breach Notification Rule. The proposed settlement includes a $1.5 million penalty, a permanent prohibition on any sharing of health data for advertising purposes and any sharing of data, period, without consent. It also requires the company to direct third parties to delete data that was previously shared and to inform consumers about both the breach and the enforcement action.

The FTC’s unprecedented use of the Health Breach Notification Rule in this case, says the Hunton post, “highlights the need for policyholders who gather personal information for consumer transactions, marketing purposes, or as part of their core business model to ensure that their risk management plan includes a cyber policy that covers regulatory investigations and actions such as the one initiated against GoodRx.”