The US Federal Trade Commission (FTC) Wednesday announced a $1.5 million civil penalty against digital healthcare company GoodRx for its failure “to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies” in violation the FTC’s Health Breach Notification Rule (HBNR) (18 CFR § 318) and 15 U.S.C. § 45(a)(1).

The fine is the FTC’s first action under its HBNR. The HBNR requires businesses and non-profits “not covered by HIPAA to notify their customers, the FTC, and, in some cases, the media, if there’s a breach of unsecured, individually identifiable health information.” The FTC’s Policy Statement indicates that makers of health apps and connected devices, such as GoodRx, must comply with the HBNR.

The FTC voted 4-0 in favor of referring its complaint and stipulated final order to the US Department of Justice (DOJ) for filing. The FTC’s complaint alleges that “GoodRx violated the FTC Act by sharing sensitive personal health information for years with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures as required by the” HBNR. Despite GoodRx’s promises to its users not to share their personal information, including personal health information, with advertisers or third parties, GoodRx repeatedly violated those promises over a four-year period and shared “extremely intimate and sensitive details about GoodRx users” related to users’ physical health, mental health, and their other personal information.

Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information. The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.