FTC fines GoodRx $1.5 million for allegedly selling users’ health information

The Federal Trade Commission (FTC) has recently taken action against GoodRx, a popular prescription drug discount service, after investigations revealed they were sharing sensitive health information with big tech companies.  

In a settlement, GoodRx has agreed to pay a $1.5 million civil penalty fine for sharing users’ health information – including prescriptions and health conditions – with third parties for advertising purposes.  

This practice, which has been going on for years, is contradictory to their published privacy policies and has affected the 55 million customers they have had since 2017.  

The FTC accuses Goodrx of violating the Health Breach Notification Rule, which prohibits companies from collecting and using personal data without customers’ knowledge or affirmative consent.  

They say GoodRx “moneitized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health – and medication-specific advertisements on Facebook and Instagram” in their complaint.   

GoodRx disclosed “individually identifiable” health information to Facebook, Google, and others without consent, including specific diseases people have and what medications they take.   

In one example, GoodRx shared its users’ information — email addresses, phone numbers, and mobile advertising IDs — with Facebook. Via the social media site’s targeted advertising program, GoodRx would then market more drugs to its own users’ Facebook profiles. .  

“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” said the director of the FTC’s Bureau of Consumer Protection in a statement. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.” 

The Health Breach Notification Rule allows the FTC to penalize companies for releasing potentially individually identifiable health information without informing those affected.  

GoodRx denies wrongdoing, does not agree with the allegations, and has only agreed to settle to “avoid the time and expense of protracted litigation,” according to their blog post.  

In 2020, they readily admitted to sharing personal medical information with Facebook, but said they would stop and hired a new vice president of data privacy to prove it.  

Commissioner Christine Wilson wrote in a statement that these penalties are not enough: “I am confident that a sizable percentage of consumers would have foregone the benefits of using GoodRx’s coupons and other services had they known about the company’s sieve-like data practices, an indicator that the company’s ill-gotten gains almost certainly constitute a large multiple of the $1.5 million civil penalty.”  

In addition to the fine, the proposed federal court order permanently bars GoodRx from sharing health information for ads and requires user consent for any other type of data sharing. The FTC imposed a time restriction on how long they can keep data.  

GoodRx is the first company to be punished in violation of Health Breach Notification Rule that was enacted in 2021, but it won’t be the last. In an investigation of direct-to-consumer telehealth sites, 13 of 50 shared medical data with big tech companies.