The FTC has fined online pharmacy and telemedicine provider GoodRx $1.5 million for allegedly sharing its customers’ private health data with Google, Facebook and other third parties without their consent. GoodRx also agreed to an unprecedented clause that would prohibit the company from further sharing consumer health data with third parties for advertising purposes. FTC complaint follows investigation consumer reports and Gizmo It was first discovered in 2020 that GoodRx was sharing its customers’ private health information with more than 20 companies without consent.
In a complaint filed Wednesday by the Justice Department, the FTC accused GoodRx of violating its own privacy commitments and the FTC’s Health Breach Notification Rules by failing to notify those who use its services of their private health information, such as their Medical conditions and prescription drugs are disclosed to advertising companies and third-party platforms.
The complaint alleges that GoodRx has shared consumer health data with Facebook, Google, Criteo, Branch and Twilio since at least 2017, despite promising users that their information would never be disclosed to advertisers or other third parties. The information was allegedly used to target GoodRx users on Facebook and Instagram with personalized ads for their medications and health conditions. The complaint also alleges that the online pharmacy falsely misrepresented its HIPAA compliance.
GoodRx did not admit any wrongdoing in its response to the FTC’s statement, saying it agreed to the settlement “to avoid the time and expense of protracted litigation.”
“We use the vendor’s technology to advertise in a manner that we believe complies with all applicable regulations, which remains common practice across many health, consumer and government websites,” GoodRx said. Prior to the investigation, the settlement focused on “an old issue that was proactively addressed nearly three years ago”. However, Gizmo Say markThe Backlight tool shows that GoodRx.com continues to share consumer information with advertising companies and has added new advertising partners since the original 2020 survey.
The FTC’s order is still subject to federal court approval, but if passed, could have far-reaching implications for the legality of advertising practices within the health and medical industry.
“Health apps and websites have been leaking our personal data for years without consequence,” consumer reports (pass independent). “This case should be a turning point – now companies must understand that sharing customer data without explicit permission will lead to investigations and fines.”
The practice of sharing consumer data with third parties without consent is quite common among health apps and services. However, the case marks the first time the FTC has sought to enforce its health breach notification rule since its introduction in 2009, which requires companies to notify consumers of unauthorized access to their personal health records. The FTC has previously said the health breach notification rules also apply to consumer technology not covered by HIPAA, such as fitness trackers and health or diet apps.
“Digital health companies and mobile apps should not profit from consumers’ extremely sensitive and personally identifiable health information,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC issued a notice that it will Use all of its legal powers to protect the sensitive data of American consumers from misuse and unlawful exploitation.”