The Federal Trade Commission has issued a $1.5 million fine against online pharmacy and telehealth provider GoodRx for unauthorized sharing of its customers’ private health data with Google, Facebook and other third parties. In addition, GoodRx has agreed to an unprecedented provision prohibiting the company from further sharing consumer health data with third parties for advertising. The FTC’s complaint comes through after investigation Consumer Reports And Gizmodo first discovered in 2020 that GoodRx was sharing its customers’ private health information with more than 20 companies without consensual consent.
In a complaint filed Wednesday by the Justice Department, the FTC is accusing GoodRx of violating its own privacy promises and the FTC’s Health Breach Notification Rule by failing to notify those using its services that their personal health information, such as their medical conditions and prescription drugs, was disclosed to advertising companies and third-party platforms.
The complaint alleges that GoodRx has shared consumer health data with Facebook, Google, Criteo, Branch and Twilio since at least 2017, despite promising users that their information would never be disclosed to advertisers or other third parties. This information would have been used to target GoodRx’s users with personalized ads specific to their medications and health on Facebook and Instagram. The complaint also alleges that the online pharmacy falsely misrepresented its HIPAA compliance.
GoodRx admitted no wrongdoing in its statement in response to the FTC, claiming it agreed to the settlement to “avoid the time and expense of lengthy litigation.”
“We had used vendor technologies to advertise in a manner that we believed complied with all applicable regulations and is still common practice on many health, consumer and government websites,” GoodRx said. The online pharmacy also claims the settlement addresses “an old issue that was proactively addressed nearly three years ago” prior to the FTC’s investigation. However, Gizmodo say The layout‘s Backlight tool shows that GoodRx.com continued to share consumer information with ad companies and has since added new ad partners since the original survey in 2020.
The FTC’s order is subject to federal court approval, but if passed, it could have a profound effect on the legality of advertising practices within the health and medical industry.
“Health apps and websites have been giving away our personal data for years without consequence,” said Justin Brookman, director of technology policy at Consumer Reports (through The independent). “This case should be a turning point – now companies need to understand that sharing customer data without clear consent will lead to investigations and fines.”
The practice of sharing consumer data with third parties without consent is quite common in health apps and services. However, this case marks the first time since its introduction in 2009 that the FTC has attempted to enforce its Health Breach Notification Rule, which requires companies to notify consumers of unauthorized access to their personal health records. The FTC has previously said that the Health Breach Notification Rule can also be applied to consumer technology not covered by HIPAA, such as fitness trackers and health or diet apps.
“Digital health companies and mobile apps should not be allowed to monetize consumers’ extremely sensitive and personally identifiable health information,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC is announcing that it will use all of its legal authority to protect the sensitive data of U.S. consumers from misuse and illegal exploitation.”