Comment That's pretty light for HIPAA penalties. (Score 5, Insightful) 31
From 2017 to 2020, GoodRx uploaded the contact information of users who had bought certain medications, like birth control or erectile dysfunction pills, to Facebook so that the drug discount app could identify its users' social media profiles, the F.T.C. said in a legal complaint. GoodRx then used the personal information to target users with ads for medications on Facebook and Instagram, the complaint said, "all of which was visible to Facebook."
This strikes me as a willful data breach of HIPAA privacy rules, as it was not done accidentally but deliberately in order to identify social media profiles in a manner visible to Facebook, and it clearly was not corrected "in a reasonable time frame", as required by HIPAA rules, as this shit went on for three years.
That's a category 4 violation of HIPAA privacy rules, and the penalty for such a violation is $50,000 per violation with a maximum for $1.5 million per year.
Essentially GoodRx admitted to violating HIPAA privacy laws in an egregious and willful manner, and is paying the full fare for the fine.
The part that amazes me, however, is that this cap of $1.5 million was written for small practices and for individual doctors--not for large corporations like GoodRx, where $1.5 million is basically a rounding error on their financials. Essentially, by doing this, we've shown that--as we move towards consolidating practices under large HCOs where $1.5 million is essentially a write-off for the cost of doing business, our personal private medical information is simply not safe. For $1.5 million, you too can mine the health data records of tens or hundreds of thousands of patients.
This tells me Congress needs a new class of penalty here, which removes the cap for large entities. Especially now, as we're seeing Silicon Valley tech companies enter the health care space, where "move fast and break things" is a mantra, and where a $1.5 million dollar "penalty" is considered a minor tax write-off.