Privacy, Breach, Supply chain

Lawsuit blasts GoodRx, Meta over ‘egregious’ privacy practices

Despite near universal investment in privacy, a survey finds some evidence that security teams are still worried their organizations aren’t prepared to protect the massive amounts of data they are collecting and storing for emerging technologies, like artificial intelligence and machine learning systems. (Image credit: Phiromya Intawongpan vi...

A lawsuit claims GoodRx mislead users about its data sharing practices that allowed Meta's Facebook and Google to “intercept” personal and health data with no user consent. Named as defendants in suit are Meta, Google, Criteo and GoodRx.

The lawsuit, filed in the U.S. District Court of Northern California, asserts GoodRx, a telehealth and prescription drug discount provider, allowed Meta, Google, and Criteo to intercept consumer data and use it for digital marketing purposes. Last week, GoodRx was hit with a $1.5 million fine by the Federal Trade Commission for related data-sharing violations.

Consumers had no way of knowing that GoodRx was intercepting their private health data when interacting with the GoodRx Platform, according to the lawsuit filed on Feb. 2. The lawsuit argued, the GoodRx software collected that data "inconspicuously in the background.”

“This conduct is all the more egregious given the nature of the information entered into the GoodRx Platform, e.g., personally identifiable information, requests for prescriptions, and identifiable medical information, among other things,” said lawyers representing the plaintiff.

GoodRx, in response to the FTC action, said in a statement it was wrongly accused. It argued the recent action by the Feds focused on “an old issue that was proactively addressed almost three years ago, before the FTC inquiry began.”

“We do not agree with the FTC’s allegations and we admit no wrongdoing,” GoodRx leadership said in a statement. “Almost three years ago… we proactively made updates consistent with our commitment to being at the forefront of safeguarding users’ privacy.”

GoodRx Under a Privacy Microscope

GoodRx is no stranger to scrutiny tied to sharing customer identities. Publication Consumer Reports reported in 2019 that GoodRx was sharing medication names and other intimate details of users with 20 internet companies. The research revealed that, combined with browser information, these third parties could infer a great deal of sensitive information from users.

At the time, GoodRx apologized for the disclosures and lack of transparency, while making policy changes to address the issues brought to light by Consumer Reports.

GoodRx's most recent lawsuit accuses the company of monetizing and using consumer data “to serve personalized advertisements.” That includes paying “Meta to serve advertisements based on users’ prescription medication.” The lawsuit lists a number of GoodRx campaigns that allegedly targeted users with highly sensitive ads on Instagram and Facebook between 2017 and 2019.

Further, the use of Meta’s “Ads Manager” and “Custom Audiences” features allegedly allowed GoodRx to identify users with Facebook and Instagram accounts to then upload “data directly to Meta, including users’ email addresses, phone numbers, and mobile identifiers to identify users.”

“GoodRx then categorized users based on their health information, e.g., users who had used a certain prescription,” according to the lawsuit. The company then “disclosed and allowed Meta to intercept and use this information to create Custom Audiences… based on the medication these users had been prescribed.”

Notably, these campaigns mirror previous allegations levied against Meta and Facebook, but not involving GoodRx. Meta is facing over a dozen lawsuits tied to accusations in 2022 that allege Meta's use of data scraped from hospital websites. In one of those lawsuits it is claimed Meta scraped data from 664 hospital systems or provider websites where Meta's Pixel ad tracking technology allegedly obtained health data for marketing purposes.

The Feb. 2 lawsuit asserts that the information sent to advertisers by GoodRx included sensitive data tied to medical treatments and prescriptions that was then “intercepted by Criteo.” According to Criteo's own website it "is an advertising company that provides online display advertisements."

Each company is accused of privacy violations and several California laws, including the Confidentiality of Medical Information Act and California Invasion of Privacy Act.

The lawsuit joins a laundry list of other consumer-led legal filings that blast the company's alleged “routine” data scraping. The latest filing makes note of these dubious practices, which Meta has allegedly acknowledged in “its efforts to develop a ‘Health Terms Integrity System’ intended to filter out this type of information.”

“However, independent investigations have confirmed these data filtration systems are not successful at preventing the interception of health data,” the lawsuit argues.

Legal actions spotlight growing government and private legal actions attempting to curb the alleged abuses by advertisers of oversharing health data with no consumer consent.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.