FTC stalks GoodRx for selling user health data

GoodRx doesn’t do a great job of protecting your privacy. And now, the FTC has an expensive prescription: huge fines and agreements to implement various privacy protections.

If you’re one of the tens of millions of people who use GoodRx to find bargains for your drugs, the drug discount and price shopping site and app may give you a better bargain: It sends your sensitive health data to Data brokers and tech companies such as Meta and Google are used for advertising, the commission said.

The U.S. Federal Trade Commission announced Wednesday that GoodRx has agreed to pay a $1.5 million fine and take various steps to ensure it no longer shares health data for advertising purposes, obtains user consent to share health data for other reasons, and has made efforts to make previous Third parties with whom the data is shared delete that data. The move demonstrates the FTC’s commitment to protecting people from digital privacy breaches, even if the U.S.’s lack of federal privacy laws could make that job a lot easier. It also shows how leaky some of the services we entrust with our most private information are.

GoodRx shared the names of drugs users looked for on the app, the names of drugs users redeemed GoodRx coupons at pharmacies, and the conditions under which they received treatment using GoodRx’s telehealth platform, the FTC said. GoodRx is also accused of sending to Meta a list, including identifying information, of users who purchased certain medications and then targeting those users with ads related to diseases that GoodRx knew they had.

“Digital health companies and mobile apps should not profit from consumers’ extremely sensitive and personally identifiable health information,” Samuel Levin, director of the FTC’s Bureau of Consumer Protection, said in a statement. Notice that it will use all of its legal powers to protect the sensitive data of American consumers from misuse and unlawful use.”

GoodRx did not immediately respond to a request for comment.

Some of GoodRx’s practices were first revealed in February 2020 by reports from Consumer Reports and Gizmodo, which detailed how user data was sent to third parties. At the time, GoodRx apologized, saying the data was not used to target ads and implemented some privacy controls. That appears to be the end of it, as GoodRx operates in a digital privacy gray area. While it may collect the same data as pharmacies, doctors, and health insurers, for the most part, it’s not subject to the same health privacy laws — known as HIPAA, or the Health Insurance Portability and Accountability Act. Even though HIPAA doesn’t apply to GoodRx, the FTC said the company gave users the impression it did by placing a small “HIPAA” icon on its website.

Even entities covered by HIPAA appear to be struggling to protect patient information from falling into the hands of data brokers and advertisers. But at least there is some legal recourse if they break that law. However, HIPAA violations are outside the purview of the FTC — they are the job of the HHS Office of Civil Rights.

When websites and apps collect and manage health data that isn’t covered by HIPAA, that’s probably the job of the FTC’s consumer protection division. When period tracker app Flo Health sent users’ fertility information to data brokers, despite promising not to, the FTC held the company accountable for defrauding users. The FTC is also in the midst of an unfair or deceptive practice lawsuit against Kochava, a data broker that the agency alleges makes it easy for people to obtain personally identifiable and sensitive location data that could cause significant harm without them knowing Their data is being collected or used in this way, let alone how to stop it.

For GoodRx, the situation is a bit different, as the FTC is using rules that have never been invoked before. The Health Breach Notification Rule requires providers of personal health records not covered by HIPAA to notify consumers when third parties access their data without their authorization. It’s been documented since 2009, but the FTC hasn’t enforced it until now. The agency said it would take such a move in 2021, when it issued a warning to health apps and connected devices requiring them to obtain user permission before disclosing health data to third parties.

This is both a clarification of the rule and a warning that the FTC is prepared and willing to enforce it. Now it has successfully met the threat for the first time. Given FTC Chair Lina Khan’s commitment to data privacy and the notorious leaky nature of apps and websites, it probably won’t be the last. But it should prompt some of these companies to make efforts to either better protect users’ health data or give them more clarity about how and why that data is shared with others before the hammer falls on them.

The FTC’s new order must be approved by a federal court before it can take effect. Assuming that’s the case, the $1.5 million fine won’t kill GoodRx, which reported revenue of $745.42 million in 2021, the most recent year for which data is available. But that’s also nothing. GoodRx ended the year with a net loss of $25.25 million despite capturing nearly three-quarters of its $1 billion in revenue. Setting up the FTC to require all the compliance measures on every order would also increase costs, and how much revenue GoodRx loses as users decide to take their business elsewhere because they don’t trust GoodRx to keep their data private.

Consumers also pay. For some of them, GoodRx disclosed their most sensitive information at a time when they were most vulnerable: looking for a way to get drugs they otherwise couldn’t afford. Now that they know at least one app sends data to Facebook, they might not be so quick to use drug discount apps in the future.