In a first-of-its-kind enforcement, the Federal Trade Commission has imposed a $1.5 million penalty on telehealth and prescription drug discount provider GoodRx Holdings Inc. for sharing users’ personal health data with Facebook, Google and other third parties without their consent.

Under a settlement, California-based GoodRx also accepted that it will be prohibited going forward from sharing user health data with third parties for advertising purposes, the FTC said. GoodRx admitted no wrongdoing and said in a blog post that it settled “to avoid the time and expense of protracted litigation.” The agreement is pending federal court approval.

Consumer protection advocates hailed Wednesday’s announcement as a potential game-changer that could seriously curtail a little-known phenomenon: The trafficking in sensitive health data by businesses not strictly classified as health care providers.

“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” Samuel Levine, head of the FTC’s Bureau of Consumer Protection, said in a statement. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”

The enforcement is the first under a 2009 law, the Health Breach Notification Rule, which applies to personal health record vendors and related providers not covered by HIPAA, the federal privacy rules that govern the health care industry,

FTC’s complaint details

According to the FTC’s complaint, GoodRx violated the FTC Act by sharing sensitive personal health information for years with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures as required by the Health Breach Notification Rule. Specifically, the FTC said GoodRx:

  • Shared Personal Health Information with Facebook, Google, Criteo, and Others: Since at least 2017, GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third parties. GoodRx repeatedly violated this promise by sharing sensitive personal health information—including its users’ prescription medications and personal health conditions—with third party advertising companies and advertising platforms like Facebook, Google, and Criteo, and other third parties like Branch and Twilio.
  • Used Personal Health Information to Target its Users with Ads: GoodRx monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health- and medication-specific advertisements on Facebook and Instagram. For example, in August 2019, GoodRx compiled lists of its users who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles. GoodRx then used that information to target these users with health-related advertisements.
  • Failed to Limit Third-Party Use of Personal Health Information: GoodRx allowed third parties it shared data with to use that information for their own internal purposes, including for research and development or to improve advertising. It also falsely claimed that it complied with the Digital Advertising Alliance principles, which require companies to get consent before using health information for advertising.
  • Misrepresented its HIPAA Compliance: GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law that sets forth privacy and information security protections for health data.
  • Failed to Implement Policies to Protect Personal Health Information: GoodRx failed to maintain sufficient policies or procedures to protect its users’ personal health information. Until a consumer watchdog publicly revealed GoodRx’s actions in February 2020, GoodRx had no sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place.

Source: FTC

It comes three years after Consumer Reports discovered that GoodRx was sharing people’s personal health information with more than 20 companies. “People told us they’d never expected that their sensitive information was being shared with the likes of Google and Facebook,” Marta Tellado, president and CEO of Consumer Reports, said in a statement Wednesday. “This is a win for consumers, and it could have a profound effect on how our health information is kept private moving forward.”

Exhibit from FTC complaint vs. GoodRx (FTC image)

GoodRx ‘unjustly enriched’

In a legal complaint filed on the FTC’s behalf, Justice Department lawyers said GoodRx’s actions had “unjustly enriched” the company at the expense of users — many sufferers of chronic health conditions — who could face “stigma, embarrassment or emotional distress” as well as discrimination if facts it shared were disclosed.

GoodRx said the focus of the FTC’s concerns was “proactively addressed” nearly three years ago, before the FTC inquiry began.

Justin Brookman, the director of technology policy at Consumer Reports, said he believed the FTC inquiry began after his organization’s Feb. 25, 2020 report. Prior to that, the government said, “GoodRx had no sufficient formal, written, or standard privacy or data-sharing policies or compliance programs in place. And, even after GoodRx’s practices came to light, it failed to notify users that their health information had been disclosed without their authorization.”

Company spokeswoman Lauren Casparis said via email that GoodRx “used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many websites.”

Those technologies included embedded web beacons known as “pixels” and other tracking and data-collection tools from companies including Google and Facebook, the government said.

“They put pixels on their site,” Brookman of Consumer Reports said by telephone. “They don’t have to do that.”

In a statement, Brookman said “health apps and websites have been giving away our personal data for years without consequence. This case should be a turning point — now companies have to understand that sharing customer data without clear permission will lead to investigations and fines.”

On its website, GoodRx says it has helped consumers save more than $45 billion since 2011.

More than 55 million consumers visit GoodRx

The FTC said more than 55 million consumers have visited GoodRx’s website or mobile apps since January 2017. It said the company collects personal and health information from its users and from pharmacy benefit managers — the companies that manage prescription drug benefits — that confirm when one of its coupons has been used in a purchase.

The FTC said in a news release that GoodRx “deceptively promised its users that it would never share personal health information with advertisers or other third parties” while sharing information on their prescriptions and health conditions with third-party advertising companies and platforms including Facebook, Google and Criteo. That process helped GoodRx target personalized ads on Facebook and Instagram and other platforms, the FTC said.

Other provisions of proposed federal court order oblige GoodRx to direct third parties with whom it shared consumer health data to delete it and inform consumers.

GoodRX spokeswoman Casparis said the company believes “the requirements detailed in the settlement will have no material impact on our business or on our current or future operations.”