This is not what the doctored ordered.
The Federal Trade Commission has fined telehealth and prescription drug discount provider GoodRX (GDRX) $1.5 million for sharing consumers’ personal health information to Meta Platform's (META) Facebook, Google (GOOGL), and other companies without their consent.
The FTC said on Feb. 1 that is the first time the agency has taken enforcement action under its Health Breach Notification Rule, which requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information.
“Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in a statement.
“The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation," Levine added.
In a statement, GoodRx said that "we do not agree with the FTC’s allegations and we admit no wrongdoing."
"Entering into the settlement allows us to avoid the time and expense of protracted litigation." the company said. "We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations."
In a first-of-its-kind proposed order filed by the U.S. Department of Justice on behalf of the FTC, the agency said, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes. The company also agreed to pay the $1.5 million penalty.
Shared Personal Health Info 'for Years'
GoodRx collects personal and health information about its users, including information from users themselves and from pharmacy benefit managers confirming when a consumer purchases a medication using a GoodRx coupon.
Since January 2017, the FTC said, more than 55 million consumers have visited or used GoodRx’s website or mobile apps.
The agency said GoodRx shared sensitive personal health information for years with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures as required by the Health Breach Notification Rule.
GoodRx monetized its users’ personal health information and used data it shared with Facebook to target GoodRx’s own users with personalized health- and medication-specific advertisements on Facebook and Instagram, the FTC said.
The agency cited a case in August 2019, where, GoodRx compiled lists of its users who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles.
GoodRx then used that information to target these users with health-related advertisements, the FTC said.
In addition, GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
GoodRX, which is based in Santa Monica, CA, is scheduled to report fourth-quarter earnings on Feb. 28 after the market closes.
