GoodRx Faces Lawsuit Over Alleged Improper Health Data Sharing Practices

GoodRx, along with Meta, Google, and online advertising company Criteo, were hit with a proposed class action lawsuit containing allegations of improper health data sharing practices.

GoodRx previously agreed to pay a $1.5 million civil penalty for an alleged violation of the Health Breach Notification Rule. The penalty marked the first time that the Federal Trade Commission (FTC) had taken enforcement action under the Rule.

The lawsuit was filed by a Jane Doe who previously provided her information, including health data relating to her medication history, to GoodRx “with the expectation that this information would remain confidential and private.”

“Unbeknownst to Plaintiff and Class members, this sensitive personal information communicated through the GoodRx Platform, including health information relating to medical treatments and prescriptions, was disclosed to and intercepted by some of the largest advertising and social media companies in the country, including Google, Meta, and Criteo,” the lawsuit alleged.

As explained in the FTC’s complaint, GoodRx allegedly leveraged tracking pixels and software development kits within its platform that gathered sensitive data and used it for advertising purposes.

The lawsuit claimed that the defendants’ “interception of this information without consent constitutes an extreme invasion of Plaintiff’s and Class members’ privacy.”

Following the FTC penalty, GoodRx denied any wrongdoing and explained that it settled in order to “avoid the time and expense of protracted litigation.”

“We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations," GoodRx stated.

The use of tracking pixels by organizations that hold sensitive health data has been under scrutiny in recent months, prompting multiple breach notifications and lawsuits. For example, in October 2022,  Advocate Aurora Health notified 3 million patients of a data breach stemming from the use of tracking pixels.

Advocate Aurora Health said it initially implemented tracking pixels by third-party vendors to “measure and evaluate information concerning the trends and preferences of its patients as they use our websites.”

“We learned that pixels or similar technologies installed on our patient portals available through MyChart and LiveWell websites and applications, as well as on some of our scheduling widgets, transmitted certain patient information to the third-party vendors that provided us with the pixel technology,” the health system explained.

Advocate Aurora Health has since disabled the pixels and launched an internal investigation to determine what, if any, information had been transmitted to vendors.  

Other healthcare organizations, such as Novant Health and WakeMed Health and Hospitals reported similar incidents stemming from the use of tracking pixels. Meta is now facing multiple lawsuits related to these findings.