The Federal Trade Commission on Wednesday alleged drug-cost and telehealth platform GoodRx shared consumers’ personal health information with third parties like Google and Facebook.
According to the FTC’s complaint, GoodRx provided information about its users’ prescription medications and health conditions for advertising purposes, like targeting users with health-related ads on Facebook based on drugs they had previously purchased.
The agency also said GoodRx allowed third parties to use that data for their own internal purposes, misrepresented its HIPAA compliance and failed to set policies on how it should protect its users’ personal health information.
GoodRx agreed to pay a $1.5 million fine to settle the case, but admitted no wrongdoing. In addition to the payment, the FTC said its proposed court order would permanently prohibit GoodRx from sharing health data for ads, require user consent before sharing information with third parties for other purposes, direct third parties to delete previously shared data, limit how long GoodRx can keep patient information and force the company to put a privacy protection plan in place.
In a statement, the digital health company said that the settlement was related to an old issue it had addressed. It said, “[T]he requirements detailed in the settlement will have no material impact on our business or on our current or future operations.”
This marks the first time the agency has brought an enforcement action under the Health Breach Notification Rule, which requires entities like apps and connected devices to report unauthorized sharing or breaches of consumers’ personal health data.
“Digital health companies and mobile apps should not cash in on consumer’s extremely sensitive and personally identifiable health information,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
THE LARGER TREND
The agency’s actions against GoodRx come as privacy experts raise concerns about the health data shared with apps and wearables.
After the Dobbs decision that overturned Roe v. Wade came down last year, some argued that personal data could be used against people who may have sought an abortion. In August, the FTC sued data broker Kochava for selling location data that could be used to track users, especially to sensitive places like abortion clinics or addiction-recovery centers.
Period-tracking app Flo, which added an “anonymous mode” after the Dobbs decision, settled with the FTC in 2021 over a complaint alleging it had shared sensitive user data with third-party marketing and analytics services from Facebook, Google and others.
Late last year, ten state attorneys general sent a letter to Apple urging the tech giant to add new protections for reproductive health data contained in third-party apps hosted on the App Store.