The cybersecurity landscape continues not to disappoint as enforcement options are dusted off and put to use.
On February 1, 2023, the Federal Trade Commission (FTC) announced its first settlement under its Health Breach Notification Rule (“Rule”)– a rule that was derived from Section 13407 of the HITECH Act (Pub. L. 111-5 (2009), published in the Federal Register on August 25, 2009 (74 Fed. Reg. 42980), and preempts state law (HITECH Act § 13421). The Rule has been effective since 2009. Before we delve into the FTC’s settlement against GoodRx, here are some of the important terms to appreciate in 16 CFR § 318, et seq.:
- The Rule applies to “foreign and domestic vendors of personal health records[PHR], PHR related entities, and third party service providers, irrespective of any jurisdictional tests in the Federal Trade Commission (FTC) Act, that maintain information of U.S. citizens or residents. It does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.” (§318.1). Stated another way, the focus is on consumer protections and the reach is broader than HIPAA.
- Under the Rule, “Breach of security means, with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual. Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information unless the vendor of personal health records, PHR related entity, or third party service provider that experienced the breach has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.” (§318.2 (a)).
- Under the Rule, “PHR related entity means an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that: (1) Offers products or services through the Web site of a vendor of personal health records; (2) Offers products or services through the Web sites of HIPAA-covered entities that offer individuals personal health records; or (3) Accesses information in a personal health record or sends information to a personal health record. (§318.2 (f)).
The FTC and HIPAA have two categories of breach notification requirements (those affecting under 500 individuals and those affecting more than 500 individuals). The FTC requires that the individual is notified “in no case later than 60 calendar days” and the FTC “later than ten business days following the date of discovery of the breach” (§§318.3, 4(a), 5(c). Interestingly, although HIPAA’s Breach Notification Rule and the FTC’s Rule is laid out differently, both require notification to the media for breaches involving more than 500 individuals.
An interesting question is why did it take well over a decade for a settlement under the FTC Rule to occur? Regardless of the length of time, when persons are evaluating cybersecurity risk across an organization (large or small), these key items from the Government’s Complaint, which resulted in a $1.5 million GoodRx settlement should be considered:
- As noted in the FTC’s press release, “The company name may be GoodRx, but it’s unlikely that “good” is the adjective consumers would use to describe the way the company violated its privacy promises by disclosing their personal health information to companies like Facebook and Google without authorization. How did GoodRx accomplish that? By using automatic “plug and play” tracking pixels and software development kits (SDKs) from Facebook, Google, and other companies that are designed to grab a substantial amount of consumer data and turn it over for advertising purposes. In the case of GoodRx, this included consumers’ personal and health information.”
- Additionally notable are the outward facing statements made to the public and their actual conduct. “GoodRx has made numerous privacy promises to consumers. For example, in describing its use of third-party tracking tools, GoodRx assured people, “[W]e never provide advertisers or any other third parties any information that reveals a personal health condition or personal health information.” GoodRx also promised users that it “rarely shares” personal health information with third parties, and when it does, it “ensures that these third parties are bound to comply with federal standards as to how to treat ‘medical data’ that is linked with your name, contact information and other personal identifiers.” In addition, GoodRx stated it would share users’ personal information only for certain limited administrative functions – for example, “to provide services directly to users,” “to comply with the law or legal process,” “to act in an emergency to protect someone’s safety,” or “to handle customer requests.”
As a paradigm shift occurs from managing cybersecurity to managing cybersecurity risk, persons should consider the following: (1) outward facing statements that contradict the actions that the company is taking; (2) the number of federal and state agencies that have enforcement jurisdiction because GoodRx, for example, could also be subject to U.S. Securities and Exchange Commission violations for material misstatements to the market and cybersecurity related violations; and (3) ensuring that annual training is in place, policies and procedures are current and reviewed annually, that a third-party risk assessment is conducted by a qualified third-party, and that data is encrypted both at rest and in transit. The days of sticking one’s head in the sand should be long gone. For those who don’t have a business associate agreement or similar contract in place that addresses the parties’ implementation of technical, administrative, and physical safeguards, breach notification, and data return/destruction, this is an area to look at closely because this requirement has been around for a while.
Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.