FTC fines GoodRx $1.5M for sharing sensitive health data with Facebook, Google & others

The Federal Trade Commission on Wednesday announced that GoodRx, a drug discount app, has agreed to pay a $1.5 million civil penalty for allegedly failing to report unauthorized disclosure of consumer health data to Facebook, Google, and other third-party digital companies such as Criteo, Branch, and Twilio. It was the first such enforcement action taken under the FTC’s Health Breach Notification Rule.

As part of the settlement, the telehealth and prescription drug provider also will be prohibited from sharing user health data with applicable third parties for advertising purposes. That  proposed order, filed by the Department of Justice on the FTC’s behalf, must be approved by the federal court before it takes effect.

California-based GoodRx operates a digital health platform that offers prescription drug discounts, telehealth visits, and other health services for about 55 million users. The company collects personal and health information about its users, including information from users themselves and from pharmacy benefits managers confirming when a consumer purchases a medication using a GoodRx coupon. The FTC says information GoodRx shared with third parties for advertising purposes included users’ prescription medications and personal health conditions.

One example, according to the FTC’s complaint, occurred in August 2019, when “GoodRx compiled lists of its users who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles. GoodRx then used that information to target these users with health-related advertisements.”

Related: Amazon rolls out a $5-a-month prescription drug service (with free shipping)

“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”

GoodRx, which claims its discounts have saved U.S. consumers an estimated $45 billion in medical costs, disagrees with the FTC’s allegations.

“We admit no wrongdoing,” company officials said in a statement. “Entering into the settlement allows us to avoid the time and expense of protracted litigation. We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations.”

The FTC’s complaint focused on the inclusion of a Facebook Javascript tracking pixel, one “widely used by many consumer, health care, and government websites,” GoodRx said in its  statement. “We led the industry by removing the standard Facebook Javascript pixel almost three years ago. The Facebook pixel continues to be used by many websites on the Internet, including U.S. government websites, insurance companies, hospitals, and others.”

GoodRx said it removed the Facebook tracking pixel nearly three years ago, according to the Wall Street Journal. The company denied sharing any medical records, noting that the company “added a number of new, industry-leading ways for consumers to protect their privacy, including an option to request the deletion of personal data.”