GoodRx, a telehealth provider and online platform selling discounted prescription drugs, will pay $1.5 million to settle a Federal Trade Commission complaint that it failed to disclose to consumers it was sharing health data with Facebook, Google and other ad-targeting companies.
The FTC alleged that since at least 2017 GoodRx shared the sensitive health information of millions of consumers — including users’ prescription medications and health conditions — with third-party advertising companies and platforms despite promising users it wouldn’t share such data. Affected users were subsequently targeted by advertisements based on personal health data that they believed remained confidential.
The complaint is the first enforcement action the FTC has taken under its Health Breach notification rule, which requires certain entities not covered by HIPAA to notify customers and the FTC if there’s a breach of individually identifiable health information. The FTC voted in September 2021 to clarify that the rule applies to any unauthorized use of data, not just breaches.
According to the FTC complaint, GoodRx also exploited sensitive customer information for its own advertising purposes, uploading user information to Facebook for advertising campaigns that targeted users based on specific medications and health conditions.
“Digital health companies and mobile apps should not cash in on consumer’s extremely sensitive and personally identifiable health information,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a press release. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
In addition to disclosing sensitive information to third parties, the FTC alleges that GoodRx misrepresented compliance with the Health Insurance Portability and Accountability Act of 1996 and failed to provide users with a sufficient written privacy policy.
While entering into a settlement with the FTC, GoodRX maintains it did nothing wrong.
“We do not agree with the FTC’s allegations and we admit no wrongdoing,” the company said in a statement. “Entering into the settlement allows us to avoid the time and expense of protracted litigation. We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations.”
GoodRx’s behavior first came to light in 2020 after a Gizmodo report identified the company was using prescription information for advertising.
Between 2017 and 2020 GoodRx created advertising campaigns on Facebook and Instagram targeting users of psychiatric drugs as well as users who had visited treatment pages about conditions including “HIV” and “Pregnancy.”
In addition to the $1.5 million penalty, the proposed court order permanently prohibits GoodRx from sharing user health information with third parties for advertising, requires GoodRx to direct third parties to delete health data that was shared with them and requires the company to limit its data retention and make publicly available details about the information it collects.
