The Federal Trade Commission has issued a $1.5 million fine against online pharmacy and telehealth provider GoodRx for allegedly sharing its customers’ private health data with Google, Facebook and other third parties without consent. GoodRx has also agreed to a landmark provision that will prohibit the company from sharing further consumer health data with third parties for advertising purposes. The FTC’s complaint comes after investigations by Consumer Reports and gizmodo first discovered in 2020 that GoodRx was sharing its customers’ private health information with more than 20 companies without consent.
in a complaint filed by the Department of Justice on Wednesday, the FTC accuses GoodRx of violating its own privacy promises and the FTC’s Health Breach Notification Rule by failing to notify those who use its services that their private health information, such as his medical conditions and prescription drugs, was to be disclosed to advertising companies and third-party platforms.
The complaint alleges that GoodRx shared consumer health data with Facebook, Google, Criteo, Branch and Twilio since at least 2017, despite promising users that their information would never be disclosed to advertisers or other third parties. This information was allegedly used to target GoodRx users with personalized ads specific to their medicines and health on Facebook and Instagram. The complaint also claims that the online pharmacy falsely misrepresented its HIPAA compliance.
GoodRx did not admit any wrongdoing in its statement in response to the FTCclaiming that he accepted the settlement to “avoid the time and expense of lengthy litigation.”
“We used vendor technologies to advertise in a way that we believe complied with all applicable regulations and remains common practice among many healthcare, consumer and government websites,” GoodRx said. The online pharmacy also claims that the settlement focuses on “a longstanding issue that was proactively addressed nearly three years ago,” prior to the FTC investigation. However, gizmodo says The marketbacklight tool shows that GoodRx.com continued to share consumer information with advertising companies and has since added new advertising partners since the original research in 2020.
The FTC’s order is still subject to federal court approval, but if approved, it could have a profound effect on the legality of advertising practices within the healthcare and medical industry.
“Healthcare apps and websites have been giving away our personal data for years without consequence,” said Justin Brookman, director of technology policy at Consumer Reports (through the independent). “This case should be a turning point: companies must now understand that sharing customer data without clear permission will lead to investigations and fines.”
The practice of sharing consumer data with third parties without consent is quite common in health apps and services. However, this case marks the first time since it was filed in 2009 that the FTC has sought to enforce its Health Breach Notification Rule, which requires companies to inform consumers about unauthorized access to their personal health records. The FTC has previously mentioned that the Health Breach Notification Rule could also apply to consumer technology that is not covered by HIPAA, such as fitness trackers and health or diet apps.
“Digital health companies and mobile apps should not profit from consumers’ highly sensitive and personally identifiable health information.” said samuel levine, director of the FTC’s Bureau of Consumer Protection. “The FTC advises that it will use all its legal authority to protect the sensitive data of American consumers from misuse and illegal exploitation.”