FTC fines GoodRx $1.5M for illegally sharing user data

GoodRx denies any wrongdoing, saying it fixed the issues three years ago

GoodRx is best known for offering patients a free price comparison tool so they can save money on their prescription drugs, presenting them with coupons that they can give to their pharmacist so they can pull up the lowest discount available.

Turns out, saving people money on their medications is not the only thing they were doing with that data: according to the FTC, it was also sharing consumers personal health information to companies such as Facebook, Criteo, and Google, all without telling the consumer it was doing so.

That's a big no-no and now the company has been fined $1.5 million as a result. 

According to the FTC allegation, GoodRx not only violated its own policies around sharing health information, but also the Health Breach Notification Rule, which requires vendors of personal health records to notify consumers following a breach involving unsecured information.

"Since at least 2017, GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third parties. GoodRx repeatedly violated this promise by sharing sensitive personal health information—including its users’ prescription medications and personal health conditions—with third party advertising companies and advertising platforms like Facebook, Google, and Criteo, and other third parties like Branch and Twilio," wrote the FTC.  

For example, the company is accused of compiling a list of its users who had purchased certain medications, and then uploading data that included their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles. GoodRx used that information to target those users with ads.

On top of that, the FTC also says that the company misrepresented its HIPAA Compliance by displaying a seal at the bottom of its telehealth services homepage that suggested it was complying with the law.  

In addition, by not notifying consumers it was sharing this data, GoodRx violated the Health Breach Notification Rule.

“Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in a statement.

“The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.” 

Founded in 2011, GoodRx coupons are accepted at over 70,000 retail pharmacies in the United States, Puerto Rico, and the U.S. Virgin Islands; that includes chains like CVS, Walgreens, Kroger, Rite Aid, Costco, and Walmart. The company says it has saved consumers over $40 billion to date and it estimates that it has helped more than 18 million people since 2011.

In a statement, the company pushed back, saying that the FTC was focusing "on an old issue that was proactively addressed almost three years ago, before the FTC inquiry began."

"At GoodRx, protecting our users’ privacy is one of our most important priorities. We are thoughtful and disciplined about what information we gather and how and why we use it," wrote GoodRx, which detailed all the ways it say it already addressed the issue at the time. 

Still, the company is agreeing to pay the fine, rather than fight it.

"We do not agree with the FTC’s allegations and we admit no wrongdoing. Entering into the settlement allows us to avoid the time and expense of protracted litigation. We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations," wrote GoodRx. 

(Image source: foodnavigator-usa.com)