New York State In-depth

The FTC fines GoodRx for unauthorized disclosure of health data

In a unique enforcement, the Federal Trade Commission has fined GoodRx Holdings Inc., a telemedicine and prescription drug provider, $1.5 million for sharing users’ personal health information without their consent with Facebook, passed on to Google and other third parties.

California-based GoodRx also accepted that going forward it would be prohibited from sharing user health data with third parties for advertising purposes, the FTC said. The approval of the federal court is still pending.

Consumer advocates hailed Wednesday’s announcement as a potential game changer that could seriously curb a little-known phenomenon: the trading of sensitive healthcare data by companies that aren’t strictly classified as healthcare providers.

“Digital health companies and mobile apps should not monetize consumers’ highly sensitive and personally identifiable health information,” said Samuel Levine, head of the FTC’s Consumer Protection Bureau, in a statement. “The FTC announces that it will use all of its legal authority to protect American consumers’ sensitive information from misuse and illegal exploitation.”

GoodRx did not immediately respond to an email seeking comment on the business impact of the enforcement action.

It’s the first such enforcement under a 2009 law, the Health Breach Notification Rule, which applies to personal health record providers and related providers that aren’t covered by HIPAA, the federal privacy regulations that govern the healthcare industry.

The enforcement comes three years after Consumer Reports found that GoodRx shared people’s personal health information with more than 20 companies. “People told us they never expected their sensitive information to be shared with companies like Google and Facebook,” said Marta Tellado, President and CEO of Consumer Reports, in a statement Wednesday. “This is a win for consumers and could have a profound impact on how our health information is kept private in the future.”

Justin Brookman, director of technology policy at the Public Interest Group, said: “Healthcare apps and websites have been leaking our personal information for years without consequence. This case should be a game changer – companies must now understand that sharing customer data without clear permission will lead to investigations and fines.”

On its website, GoodRx says it has helped consumers save more than $45 billion since 2011.

According to the FTC, more than 55 million consumers have visited the GoodRx website or mobile apps since January 2017. The Company collects personal and health information from its users and from pharmacies that certify when one of its coupons has been used in a purchase.

The FTC said in a press release that GoodRx “deceptively promised its users that it would never share personal health information with advertisers or other third parties,” while sharing information about their prescriptions and health conditions with third-party advertising companies and platforms such as Facebook, Google and Criteo. That process helped GoodRx target personalized ads on Facebook and Instagram and other platforms, the FTC said.

Other provisions of the proposed federal court order require GoodRx to direct third parties with whom it has shared consumer health information to delete it and notify consumers.

Comments are closed.