The Federal Trade Commission imposed a $1.5 million penalty on telehealth and prescription drug discount provider GoodRx Holdings Inc. in a first-of-its-kind enforcement for sharing users’ personal health data with Facebook, Google, and other third parties without their consent.
According to the FTC, as part of the settlement, California-based GoodRx agreed to refrain from sharing user health data with third parties for advertising purposes in the future. In a blog post, GoodRx admitted no wrongdoing and stated that it settled “to avoid the time and expense of protracted litigation.” The agreement is still subject to federal court approval.
Consumer advocates hailed Wednesday’s announcement as a potential game-changer that could significantly reduce a little-known phenomenon: the trafficking of sensitive health data by businesses that are not strictly classified as health care providers.
“Digital health companies and mobile apps should not profit from consumers’ extremely sensitive and personally identifiable health information,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC is serving notice that it will use all of its legal authority to protect the sensitive data of American consumers from misuse and illegal exploitation.”
The Health Breach Notification Rule, enacted in 2009, applies to personal health record vendors and related providers who are not covered by HIPAA, the federal privacy rules that govern the health care industry.
It comes three years after Consumer Reports discovered that GoodRx was disclosing personal health information to over 20 companies. “People told us they had no idea their sensitive information was being shared with companies like Google and Facebook,” Consumer Reports president and CEO Marta Tellado said in a statement Wednesday.
“This is a win for consumers, and it has the potential to have a significant impact on how our health information is kept private in the future.”
In a legal complaint filed on behalf of the FTC, Justice Department lawyers claimed that GoodRx’s actions had “unjustly enriched” the company at the expense of users — many of whom suffer from chronic health conditions — who could face “stigma, embarrassment, or emotional distress,” as well as discrimination, if the facts it shared were revealed.
The focus of the FTC’s concerns, according to GoodRx, was “proactively addressed” nearly three years ago, before the FTC investigation began.
Consumer Reports’ director of technology policy, Justin Brookman, believes the FTC investigation began after his organization’s Feb. 25, 2020 report. Previously, the government stated, “There were no adequate formal, written, or standard privacy or data-sharing policies or compliance programs in place at GoodRx. Even after GoodRx’s practices were revealed, the company failed to notify users that their health information had been disclosed without their permission.”
GoodRx, according to company spokeswoman Lauren Casparis, “used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many websites.”
According to the government, these technologies included embedded web beacons known as “pixels” and other tracking and data-collection tools from companies such as Google and Facebook.
“They put pixels on their site,” Consumer Reports’ Brookman explained over the phone. “They are not required to do so.”
Brookman stated in a statement “For years, health apps and websites have freely given away our personal information. This case should serve as a wake-up call to businesses that sharing customer data without explicit permission will result in investigations and fines.”
GoodRx has assisted consumers in saving more than $45 billion since 2011, according to its website.
According to the FTC, over 55 million consumers have visited GoodRx’s website or mobile apps since January 2017. It stated that the company collects personal and health information from its users as well as pharmacy benefit managers, which confirm when one of its coupons has been used in a purchase.
The FTC says, GoodRx “deceptively promised its users that it would never share personal health information with advertisers or other third parties,” while sharing prescription and health information with third-party advertising companies and platforms such as Facebook, Google, and Criteo. According to the FTC, this process assisted GoodRx in targeting personalized ads on Facebook, Instagram, and other platforms.
Other provisions of the proposed federal court order require GoodRx to direct third-party providers with whom it shared consumer health data to delete it and to notify consumers.
According to Casparis, a GoodRX spokeswoman, “the requirements detailed in the settlement will have no material impact on our business or on our current or future operations.”