FTC Charges GoodRx with Illegally Disclosing Customers’ Health Information
Last updated February 15, 2023
Millions of Americans have saved money on their prescription drugs by using coupons from GoodRx. But at what cost?
Federal regulators have accused the California-based discount drug and telehealth provider with violating federal law by “failing to notify consumers” about its “unauthorized disclosure” of their health information to Facebook, Google, and other advertising companies.
Listen to audio highlights of the story below:
In its complaint, the Federal Trade Commission (FTC) said GoodRx was “unjustly enriched” at the expense of its users, who could face “stigma, embarrassment or emotional distress,” if their health conditions were disclosed.
Under the proposed settlement filed in federal court earlier this month, GoodRx agreed to pay a $1.5 million fine and to stop sharing health data with third parties for advertising purposes.
“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection.
GoodRx did not admit to any wrongdoing, and it disagreed with the FTC’s allegations. “We are thoughtful and disciplined about what information we gather and how and why we use it,” the company said in a statement. “Entering into the settlement allows us to avoid the time and expense of protracted litigation.”
GoodRx claims to be “one of the most downloaded medical apps over the past decade.” Many consumer groups, including Consumer Reports and Checkbook, in the past have recommended the free service to consumers seeking ways to reduce their out-of-pocket prescription costs.
But the company has been collecting personal and health information in two ways: From the users themselves, and from pharmacy benefit managers who confirm when drug purchases are made using a GoodRx coupon.
The FTC lawsuit claims GoodRx violated the FTC’s Health Breach Notification Rule (HBNR) of 2009 (more on that later) by sharing personal health information with advertising companies and platforms, contrary to its privacy promises:
“Since at least 2017, GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third parties. GoodRx repeatedly violated this promise by sharing sensitive personal health information—including its users’ prescription medications and personal health conditions—with third party advertising companies and advertising platforms like Facebook, Google, and Criteo, and other third parties like Branch and Twilio.”
According to the FTC’s complaint, in 2019, GoodRx compiled lists of its users who had purchased particular medications, such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles. GoodRx then used that information to target these users with health-related advertisements.
GoodRx also “integrated third-party tracking tools from Facebook, Google, Criteo, and other third parties into its websites and mobile app,” the FTC stated.
This information sharing, the FTC said in its court papers, “led to the unauthorized disclosure of facts about individuals’ chronic physical or mental health conditions, medical treatments and treatment choices, life expectancy, disability status, parental status, substance addiction, sexual and reproductive health, and sexual orientation, as well as other information.”
Other alleged privacy violations cited by the FTC:
- Allowing the third parties it shared data with to use that information for their own internal purposes, including for research and development, or to improve advertising.
- Failing to maintain sufficient policies and procedures to protect its users’ personal health information.
- Displaying a seal at the bottom of its telehealth services homepage “falsely suggesting” to consumers that it complied with the Health Insurance Portability and Accountability Act (HIPAA), a law that requires privacy and information security protections for health data.
‘First of Its Kind’ Legal Approach
HIPAA protects only medical information collected and held by doctors and other healthcare providers, such as pharmacies and hospitals.
So, if you see a doctor about erectile disfunction (ED), your visit is covered by HIPAA—the physician, practice staff, your insurer, etc., can’t share information about your condition or treatment with anyone else. But if you search online for information about ED or download a discount coupon for Cialis (or some other ED medication), HIPAA does not apply. And if you share your official medical record with a non-health care provider, HIPAA privacy protections do not cover that information, either.
The FTC does not regulate HIPAA or enforce violations. So, in this case, the agency took a novel approach—citing a rarely used regulation, the Health Breach Notification Rule (HBNR) of 2009, which requires vendors of personal health records to notify consumers, the FTC (and, in some cases, the media) when those data are disclosed or acquired without the consumers’ authorization.”
In other words, the FTC has decided that an actual data breach is not required to violate this breach-notification rule. In its news release about the settlement, the FTC called this case the “first of its kind.”
In September 2021, the commission issued a policy statement warning companies that if they collect or use consumer health information via apps or connected devices (such as those that monitor fertility, heart, glucose, and sleep) that they must comply with HBNR.
The FTC alleges in its complaint that GoodRx violated the rule by failing to make those required notifications about the company’s “unauthorized disclosure of individually identifiable health information.”
The Proposed Settlement Agreement
If a federal court approves the proposed settlement order, GoodRx would be permanently prohibited from sharing user health information with third parties for advertising purposes. The company would also be required to:
- Obtain users’ affirmative express consent before disclosing any of their health information with other companies.
- Direct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches and the FTC’s enforcement action against the company.
- Limit how long it can retain personal and health information.
- Establish a comprehensive privacy program that includes strong safeguards to protect consumer data.
Consumer advocates applauded the FTC’s decision to file this case.
“This is incredibly important,” said Pam Dixon, executive director of the World Privacy Forum. She called it a “milestone” in the FTC’s enforcement of privacy protections for commercially collected health information.
Consumer Reports, which first warned that GoodRx was sharing information about prescription drugs with more than 20 companies, called the settlement a “big deal,” despite the relatively small $1.5 million fine.
“For years, we’ve seen stories about health apps sharing our data with ad-tech companies and data brokers. With this case, the FTC is saying that’s simply not allowed,” said Justin Brookman, director of technology policy for Consumer Reports. “This hopefully will lead to industrywide changes over how health data is treated.”
GoodRx changed its data policy as a result of CR’s reporting. It also created an online form customers could use to ask the company to delete their information. In its public response to the settlement, GoodRx said the FTC focused on “an old issue that was proactively addressed almost three years ago.”
Sending a Message to Health-Related Apps, Devices, and Websites
This case is about more than one company. The FTC is sending a message to the growing list of companies collecting personal health information, but are not covered by HIPAA—that they face legal action if they share this information without getting permission from their customers.
“The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation,” the FTC’s Levine said.
“Consumers need to know plainly and simply whether a website or digital service or app is regulated under HIPAA,” World Privacy Forum’s Dixon told Checkbook. “If not, there needs to be a clear and prominent statement in the privacy policy warning that if you share your information with us, it will not have HIPAA protections.”
Until all health-related websites are required to have clear notices about their HIPAA status, hang on to your data, or assume it’s being shared.
Congress could also do something to protect consumers. Prof. Jeffrey Stanton, director of the Center for Computational and Data Science at Syracuse University’s School of Information Studies, believes the only way to deal with the continual leaking of personal information is strong federal privacy legislation, similar to what they have in Europe.
“There’s no way other than with that sort of collective government action that we can muster enough momentum to be able to counteract what the larger companies want to do,” Stanton told Checkbook. “They’ve shown over and over again that they’re bad at policing themselves when it comes to privacy issues.”
Contributing editor Herb Weisbaum (“The ConsumerMan”) is an Emmy award-winning broadcaster and one of America's top consumer experts. He has been protecting consumers for more than 40 years, having covered the consumer beat for CBS News, The Today Show, and NBCNews.com. You can also find him on Facebook, Twitter, and at ConsumerMan.com.