Breach, Privacy, Application security

FTC slaps GoodRx with a $1.5M fine for sharing health data with Facebook, others

scales of justice

The Federal Trade Commission slapped GoodRx with a $1.5 million civil penalty for questionable privacy practices tied to sharing personal consumer health data with Facebook, Google and Twilio.

The enforcement action was filed Wednesday and is a “first-of-its-kind proposed order” filed by the Department of Justice on behalf of the FTC under its new Health Breach Notification Rule.

GoodRx, a telehealth and prescription drug discount provider, is now barred from any future unauthorized consumer data disclosures and must instruct Facebook and other third parties to delete all consumer data tied to the unauthorized disclosure of GoodRx data. The company must also limit the retention of its customer data to a set schedule, implement a comprehensive data privacy program and gain user consent before disclosing health information.

"GoodRx violated the Health Breach Notification Rule by failing to notify consumers, the FTC, and the media about the company’s unauthorized disclosure of individually identifiable health information," according to the complaint (PDF).

The settlement comes on the heels of several financial blowbacks reported by GoodRx. Prior to reporting a low-performing third-quarter with a 4% decrease in revenue, the company laid off 140 employees, or 16% of its workforce in September 2022.

The FTC maintains the company engaged in “repeated, unauthorized disclosures of users’ personal and health information over the course of a four-year period” with third-party advertising companies and platforms. Those platform were identified as Facebook, Google, Criteo, Branch and Twilio.

User data included prescription information and personal health conditions, contact details and unique advertising and persistent identifiers. Users’ “extremely intimate and sensitive details” were directly exposed to advertisers and other third-party vendors, as a result.

The data could be tied to consumers’ “chronic physical or mental health conditions, medical treatments and treatment choices, life expectancy, disability status, information relating to parental status, substance addiction, sexual and reproductive health, sexual orientation, and other highly sensitive and personal information,” according to the FTC.

The company is also accused of allowing these third parties to “use and profit” from users’ “information for their own business purposes.”

The FTC said the unauthorized disclosures occurred despite GoodRx promising users it would only share their data with third parties for only “limited purposes” and “would never share personal health information with advertisers or other third parties.

The filing reports that "GoodRx repeatedly violated these promises.” What’s more, the third-party data sharing was done without notice to consumers and without asking for their consent.

The FTC highlighted the relationship between Facebook and GoodRx. It alleges GoodRx allegedly exploited the data shared with Facebook to target users with ads on Meta’s social media platforms. 

“Using Facebook’s ad targeting platform, GoodRx matched specific users to their personal health information and designed campaigns that targeted users with advertisements based on their health information—all of which was visible to Facebook,” according to the filing.

If true, the allegations against GoodRx mirror similar reports about Meta’s Pixel tool used by health systems for analytics purposes. Multiple ongoing lawsuits accuse Facebook of using data scraped from hospital websites to target individuals with highly sensitive ads.

In the case of GoodRx, the filing says “these campaigns featured advertisements relating to specific medications (e.g., Viagra), or specific health conditions (e.g., erectile dysfunction) that GoodRx believed would be of interest to them.”

In another 2019 campaign, the FTC accuses GoodRx of compiling lists of its users who’d purchased particular medications, then uploaded their contact information and mobile advertising IDs to Facebook in an effort to identify their profiles. The users were then labeled by the medications they’d purchased, then targeted with health-related advertisements.

The filing also shows GoodRx “violated its promises to users by failing to implement sufficient policies or procedures to prevent the improper disclosure of sensitive health information or to notify users of breaches of that information.”

Before a consumer watchdog publicly reported these actions in 2020, the company had no “sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place.” Even after this report, the FTC filing shows GoodRx never informed its users of the unauthorized disclosure of their health information.

The enforcement action is the first under the FTC’s Health Breach Notification Rule. The agency has long had the authority to tackle possible health data privacy violations not covered by The Health Insurance Portability and Accountability Act. However, the rule was not specifically utilized in past cases against health app developers, such as the Flo Health action in 2021.

Samuel Levine, FTC director of the Bureau of Consumer Protection, said the action aims to serve “notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.” 

“Digital health companies and mobile apps should not cash in on consumer’s extremely sensitive and personally identifiable health information,” said Levine in a statement.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.