GoodRx to pay $1.5 million fine for sharing customer health info with Google, Facebook
Telehealth and prescription drug discount provider GoodRx has agreed to pay a $1.5 million fine to the Federal Trade Commission (FTC) after violating rules saying the company must notify customers that it was sharing personal health information with advertising giants.
According to the FTC complaint, GoodRx violated the Health Breach Notification Rule by failing to let its customers know that for years it was sharing this sensitive data with advertising companies and platforms including Facebook, Google, Criteo, Branch and Twilio. In addition to a range of information on customers themselves, the company sold specific data on prescription medications as well as the personal health conditions of its users.
“Digital health companies and mobile apps should not cash in on consumer’s extremely sensitive and personally identifiable health information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.
The issues were first uncovered by reporters working for Consumer Reports, who found in 2020 that GoodRx was offsetting cost reductions on drugs by selling customer information. After the article was published, GoodRx pledged to stop sharing information with Facebook and created a way for users to delete their information.
FTC has taken enforcement action for the first time under its Health Breach Notification Rule against GoodRx for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies. /2
— FTC (@FTC) February 1, 2023
The FTC said the proposed order, which must be approved by a federal court to go into effect, was the first of its kind and will subsequently ban GoodRx from sharing health data with third parties who use it for advertising purposes.
The agency noted that since 2017, more than 55 million people have used GoodRx or visited its website for prescription drug discounts and other health services. The technology collects information both from the pharmacies where people pick up drugs as well as from customers themselves. The company reported a Q3 revenue of $187.3 million in November.
GoodRx used the data it collected for its own advertising purposes, monetizing the information by working with Facebook to target users with personalized campaigns about medications and treatments on both Facebook and Instagram. Facebook took the name Meta in late 2021.
“For example, in August 2019, GoodRx compiled lists of its users who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles,” the FTC explained.
“GoodRx then used that information to target these users with health-related advertisements.”
The FTC also accused the company of falsely suggesting that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). GoodRx put the HIPAA seal at the bottom of its telehealth homepage even though it was selling health data.
GoodRx also had no privacy policy in place until the Consumer Reports story was published.
In addition to the fine and ban on sharing customer health information with third party advertisers, GoodRx is prohibited from “using manipulative designs, known as dark patterns, to obtain users’ consent to share the information,” the FTC said.
In a statement, GoodRx said it admits no wrongdoing and disagrees with the FTC ruling but only agreed to the settlement because it allows them to "avoid the time and expense of protracted litigation."
Facebook and Branch did not respond to requests for comment about what they were doing with the information and how long they were holding it. Twilio declined to comment.
Google said in a statement that it "prohibits personalized advertising based on sensitive data like health conditions or prescription medications."
"We also have strict policies that advertisers and developers must comply with regarding personally identifiable information being shared with us," the spokesperson said.
The tech giant went on to defend its use of the data, arguing that it is not always used for ad personalization and can be deployed for analytical purposes as well. A spokesperson also claimed Google does not use prescription data to create marketing profiles.
Criteo told The Record that its "polices and business practices" prevented them from receiving or using the level of detailed information that other advertising providers received and used.
Criteo claims it never received any personally identifiable information, such as names, email addresses, prescriptions or medical information.
"Additionally, we never served any ads based on sensitive health information, such as prescription medication, and never served any ads with prescription medication. Criteo never received the content of any coupon offered by GoodRx, only an event saying whether or not a coupon was clicked by a user," a spokesperson said.
The FTC has sought to beef up its enforcement efforts in recent years, fining or suing companies like Twitter, CafePress, Kochava and Drizly for a range of data security or privacy violations.
It previously warned makers of health apps and connected devices that collect health-related information about compliance with the Health Breach Notification Rule.
In 2021, Sen. Bob Menendez (D-NJ) and Reps. Bonnie Watson Coleman (D-NJ) and Mikie Sherrill (D-NJ) sent wrote to the FTC urging it to enforce the Health Breach Notification Rule against mobile apps that leak data.
The letter cited a Wall Street Journal report about Flo Period & Ovulation Tracker, a popular fertility monitoring app, sharing sensitive information with third parties.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.