FTC slaps GoodRx with $1.5M fine for sharing users' health data with Facebook, Google

The Federal Trade Commission (FTC) took enforcement action today against GoodRx for failing to notify customers and regulators of unauthorized disclosures of consumers’ personal health information. The action is the first of its kind under the FTC’s Health Breach Notification Rule (HBNR).

The move signals potential increased enforcement by the FTC on the side of protecting consumer privacy and serves as a warning to other digital health companies.

Filed by the Department of Justice on behalf of the FTC, the proposed order will prohibit GoodRx from sharing user health data with applicable third parties. The telehealth and prescription drug discount provider agreed to pay a $1.5 million civil penalty. A blog post on the GoodRx website stated that the company admits no wrongdoing but agreed to settle in order to “avoid the time and expense of protracted litigation.”

“Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a press release. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”

Before going into effect, a federal court must approve the proposed order. If approved, the company would be barred from sharing users’ health information for advertising purposes.

According to the complaint (PDF) filed by the FTC, GoodRx violated the FTC Act and acted against its own privacy promises by sharing sensitive personal health information with advertising entities. The FTC alleges that these practices took place for years and were not reported to the federal government as is required by the Health Breach Notification Rule.

The filing states that since 2017, the California-based company promised its users that it would never share personal health information with advertisers or other third parties. Facebook, Google and Criteo are some of the third parties listed as alleged recipients of users’ prescription medications and personal health conditions, personal contact information and unique advertising and persistent identifiers.

Criteo claims they never received any personally identifiable information, including name, email address or personal health information from GoodRx. "Additionally, we never served any ads based on sensitive health information, such as prescription medication, and never served any ads with prescription medication," a Criteo spokesperson wrote to Fierce Healthcare.

The FTC alleges that GoodRx integrated pixel technology and similar automated trackers called “Software Development Kits.” By tracking personal health information, the commission states that GoodRx targeted its own users with personalized health and medication-specific advertisements.

The online prescription retailer responded to the allegations in a company blog by stating that the issue was addressed nearly three years ago before the FTC contacted the digital health company.

“While we had used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many health, consumer and government websites, we are proud that we took action to be an industry leader on privacy practices,” GoodRx executives wrote in the blog post.

The post went on to say that no medical records were shared via the pixel technology which the company stated primarily tracked IP addresses and web page URL information. GoodRx also claimed that the FTC's application of the Health Breach Notification Rule was novel and that GoodRx's use of pixels did not breach any regulations, noting that it is standard on many company websites.  

"We have implemented a privacy framework with a robust set of policies and procedures to safeguard our users’ data, including regular reviews by both internal and external teams," a GoodRx spokesperson wrote to Fierce Healthcare in an email. "We also offer all Americans, nationwide the ability to opt-out from certain cookies and tracking, and to request the deletion of data." 

A Health Insurance Portability and Accountability Act (HIPAA) issue was also referenced in the complaint referring to a period from April to September 2019 when GoodRx displayed a seal on its website implying to patients that their data were HIPAA secure. The online pharmacy stated that the seal was from a telehealth website acquired in 2019 and was promptly removed.

The Health Breach Notification Rule requires health apps and connected devices that access personal health information to notify users if their data are compromised. This action marks the first time the rule is being employed in an enforcement action and the first time a proposed FTC consent order is being used to prohibit a company’s use of consumer health data for advertising purposes.

The rule applies to entities not covered by HIPAA to ensure they are held accountable when consumers’ sensitive health information is breached, according to the FTC. If a company doesn’t comply with the rule, the agency has stated previously, it can enforce fines of $43,792 per violation per day.

The online pharmacy released a statement in conjunction with the blog post, both assuring that the move by the FTC would not affect its business practices and that it would continue to provide Americans with steep discounts for pharmaceuticals. “We are glad to put this matter behind us so we can continue focusing on being a trusted source for Americans to find affordable and convenient healthcare,” GoodRx wrote in a press release.