Telehealth and prescription drug discount provider GoodRx has agreed to pay a $1.5 million fine to the Federal Trade Commission (FTC) after violating rules saying the company must notify customers that it was sharing personal health information with advertising giants.
According to the FTC complaint, GoodRx violated the Health Breach Notification Rule by failing to let its customers know that for years it was sharing this sensitive data with advertising companies and platforms including Facebook, Google, Criteo, Branch and Twilio. In addition to a range of information on customers themselves, the company sold specific data on prescription medications as well as the personal health conditions of its users.
“Digital health companies and mobile apps should not cash in on consumer’s extremely sensitive and personally identifiable health information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.
The issues were first uncovered by reporters working for Consumer Reports, who found in 2020 that GoodRx was offsetting cost reductions on drugs by selling customer information. After the article was published, GoodRx pledged to stop sharing information with Facebook and created a way for users to delete their information.
Facebook, Google, Criteo, Branch, and Twilio did not respond to requests for comment about what they were doing with the information and how long they were holding it.
FTC has taken enforcement action for the first time under its Health Breach Notification Rule against GoodRx for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies. /2
— FTC (@FTC) February 1, 2023
The FTC said the proposed order, which must be approved by a federal court to go into effect, was the first of its kind and will subsequently ban GoodRx from sharing health data with third parties who use it for advertising purposes.
The agency noted that since 2017, more than 55 million people have used GoodRx or visited its website for prescription drug discounts and other health services. The technology collects information both from the pharmacies where people pick up drugs as well as from customers themselves. The company reported a Q3 revenue of $187.3 million in November.
GoodRx used the data it collected for its own advertising purposes, monetizing the information by working with Facebook to target users with personalized campaigns about medications and treatments on both Facebook and Instagram. Facebook took the name Meta in late 2021.
“For example, in August 2019, GoodRx compiled lists of its users who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles,” the FTC explained.
“GoodRx then used that information to target these users with health-related advertisements.”
The FTC also accused the company of falsely suggesting that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). GoodRx put the HIPAA seal at the bottom of its telehealth homepage even though it was selling health data.
In addition to the fine and ban on sharing customer health information with third party advertisers, GoodRx is prohibited from “using manipulative designs, known as dark patterns, to obtain users’ consent to share the information,” the FTC said
It previously warned makers of health apps and connected devices that collect health-related information about compliance with the Health Breach Notification Rule.
In 2021, Sen. Bob Menendez (D-NJ) and Reps. Bonnie Watson Coleman (D-NJ) and Mikie Sherrill (D-NJ) sent wrote to the FTC urging it to enforce the Health Breach Notification Rule against mobile apps that leak data.
The letter cited a Wall Street Journal report about Flo Period & Ovulation Tracker, a popular fertility monitoring app, sharing sensitive information with third parties.