Getty Images/iStockphoto
FTC Imposes $1.5M Penalty on GoodRx Over Failure to Report Healthcare Data Breach
The FTC alleged that GoodRx failed to notify consumers of a healthcare data breach stemming from its unauthorized disclosure of user health information to Facebook, Google, and other third parties.
UPDATE 2/2/2023 - This article has been updated to include a statement from GoodRx.
GoodRx agreed to pay a $1.5 million civil penalty for violating the Health Breach Notification Rule by failing to notify consumers of a healthcare data breach, the Federal Trade Commission (FTC) announced. The penalty marks the first time the FTC has taken enforcement action under its Health Breach Notification Rule.
GoodRx, a telemedicine and prescription drug discount provider, “violated the FTC Act by sharing sensitive personal health information for years with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures,” the FTC stated.
Specifically, the company leveraged third-party tracking pixels and “plug and play” software development kits from companies like Facebook, Google, Criteo, Branch, and Twilio that allegedly gathered sensitive data and used it for advertising purposes.
As previously reported, Meta and a variety of healthcare organizations are facing backlash over the use of tracking pixels that transmit data without patient consent. Tracking pixels are typically used for targeted marketing and tracking user activity, but on numerous hospital websites, the pixel was found on password-protected patient portals.
In the case of GoodRx, the FTC alleged that the company had “deceptively promised its users that it would never share personal health information with advertisers or other third parties.”
Despite these promises, the FTC alleged that GoodRx had repeatedly shared data with Facebook, which was later used to target GoodRX users with personalized advertisements on Facebook and Instagram.
“For example, in August 2019, GoodRx compiled lists of its users who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles. GoodRx then used that information to target these users with health-related advertisements,” the FTC release stated.
The FTC accused GoodRx of allowing these third parties to use this sensitive data for their own internal purposes, misrepresenting HIPAA compliance, and failing to maintain sufficient policies to protect its users’ information.
In addition to the monetary penalty, the proposed court order prohibits GoodRx from engaging in deceptive practices such as sharing health data for the purpose of advertising. The company will also be required to obtain affirmative consent before disclosing user health information to third parties, and must direct the third parties to delete the health data that was previously shared with them.
“Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in the announcement.
“The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
GoodRx issued a statement and blog post following the FTC's announcement.
"We do not agree with the FTC’s allegations and we admit no wrongdoing. Entering into the settlement allows us to avoid the time and expense of protracted litigation. We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations," GoodRx stated.
"In fact, almost three years ago, before the FTC reached out to us, we proactively made updates consistent with our commitment to being at the forefront of safeguarding users’ privacy. While we had used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many health, consumer and government websites, we are proud that we took action to be an industry leader on privacy practices. We are glad to put this matter behind us so we can continue focusing on being a trusted source for Americans to find affordable and convenient healthcare."