FTC finds GoodRx shared sensitive health data with Facebook, Google

The FTC on Wednesday filed a court order against GoodRx for failing to notify users that it shared their personal, identifiable health data with Facebook and Google and said it would permanently ban the company from sharing such information for ads, should the court order be federally approved.

Why it matters: The court order is the first FTC action under the Health Breach Notification Rule, which requires companies to notify users when their health data is infringed upon, and includes several safeguards aimed at protecting consumer data. It must be approved by the federal court to go into effect.

• “We’re making clear that apps violating this rule need to come clean with consumers when they share sensitive data improperly,” an FTC official said during a press briefing about the order.
• The order must be approved by the federal court to go into effect.

Zoom in: The health data GoodRx shared with tech companies includes individually identifiable data on users’ prescription medications and health conditions. Per the complaint:

• In August 2019, GoodRx compiled lists of users who’d purchased medications for heart disease and high blood pressure and uploaded their email addresses, phone numbers and mobile advertising IDs to Facebook so it could identify their profiles.
• GoodRx then used that information to target users with relevant ads.

Details: The court order, filed by the Department of Justice on behalf of the FTC in California’s Northern District, found GoodRx shared data with companies including Facebook, Google, Criteo, Branch and Twilio. The order found GoodRx:

• Monetized users’ personal health data to target them with health- and medication-specific ads on Facebook and Instagram.
• Let third parties it shared data with use the information for research, development or advertising purposes without getting consent.
• Misrepresented its HIPAA compliance, displaying a seal at the bottom of its telehealth site falsely suggesting it complied with the law.
• Failed to maintain sufficient policies or procedures to protect its users’ personal health information.

State of play: GoodRx, which offers prescription discount coupons and telehealth services, lets users track their personal health data to save, track and get alerts about prescriptions, refills, pricing and medication purchase history.

• Per the complaint, the company collects data from users themselves and from pharmacy benefit managers (PBMs) that confirm when someone buys a prescription drug using one of its coupons.
• Since January 2017, more than 55 million consumers have visited or used GoodRx’s website or mobile apps, the complaint says.

What they’re saying: “Health data today isn’t just what your doctor keeps in a file behind a desk,” an FTC official said during the briefing. “And the way we’re enforcing this reflects that new reality.”

• “We expect this to have a significant impact on the marketplace,” the official added.

Flashback: The FTC in 2021 issued a warning to health apps and others that collect or use consumers’ health information that they must comply with the Health Breach rule.

• “We are now showing the market that we meant business when we issued that policy statement,” the FTC official said.

What’s next: In addition to charging GoodRx with a $1.5 million civil penalty and banning it from disclosing user health information for ads, the order requires that the company:

• Direct third parties to delete the consumer health data shared with them and inform users about the breaches and the FTC’s enforcement action.
• Get users’ consent before sharing health data with third parties for purposes other than ads and detail the types of health information it will disclose to those parties.
• Limit how long it can retain personal health information.
• Create a privacy program that includes safeguards to protect such data.

Of note: While the order only binds GoodRx, companies including Facebook who received the data “are on notice that they were in receipt of data that was illegally collected,” another FTC official said.

GoodRx did not immediately reply to a request for comment.