FTC Fines GoodRx $1.5 Million For Health Breach Notification Rule Violation

The Federal Trade Commission has taken action against GoodRx Holdings Inc., a telehealth and prescription drug discount provider, for failure to comply with the Health Breach Notification Rule. The FTC alleges that GoodRx distributed consumer and other personal health information to Facebook, Google, and other companies without their authorization. To address this issue, the FTC has proposed an order requiring GoodRx to cease sharing user health data with third parties for advertising purposes and to pay a $1.5 million civil penalty for its violations

GoodRx operates a digital health network that enables users to evaluate prescription drug costs and secure prescription drug vouchers. It also provides a paid monthly membership service, GoodRx Gold, which states it can offer bigger discounts and virtual telehealth visits with a product known as GoodRx Care. GoodRx accumulates a considerable amount of personal data – including very sensitive health information – from customers and from pharmacy benefit managers, who are organisations that manage prescription drug benefits, verifying when someone utilises a GoodRx coupon to obtain a prescription. Since the beginning of 2017, GoodRx has been visited or utilized by more than 55 million customers. 

The Federal Trade Commission (FTC) accused GoodRx of violating the FTC Act by sharing personal health information with advertising companies and platforms without following their privacy promises. This led to unauthorized disclosures not reported as per the Health Breach Notification Rule. GoodRx shared data including prescription medications and health conditions with third parties such as Facebook, Google, Criteo, Branch, and Twilio. This information was used to target GoodRx’s own users with personalized health and medication-specific advertisements. Furthermore, GoodRx allowed other entities to utilize the data they had access to for their own objectives, while inaccurately claiming to meet the standards set by the Digital Advertising Alliance. GoodRx also displayed a seal at the bottom of its telehealth services homepage falsely suggesting that it was compliant with HIPAA. Finally, GoodRx had no formal, written, or standard privacy or data sharing policies in place until a consumer watchdog publicly revealed their actions in February 2020.

The proposed federal court order against GoodRx entails a $1.5 million penalty for violating the rule as well as prohibiting the company from engaging in the deceptive practices outlined in the complaint. In addition, the court order requires GoodRx to get users’ affirmative express consent before distributing personal health information to any third parties. Further, GoodRx must instruct third parties to delete any health data they were provided with, and inform consumers of any breaches. Finally, the company must limit the period of time it can store personal and health data and establish a comprehensive privacy program that has reasonable safeguards to secure consumer health data.

“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.” 

In respone to the court order, GoodRx realesed a statement noting that they did not agree with the FTC’s allegations and admit no wrongdoing. GoodRx believes that the FTC is focusing on an issue which had been previously adressed 3 years ago. In a statement, GoodRx said that the settlement was made in order to avoid ongoing legal costs and prolonged litigation. “we proactively made updates consistent with our commitment to being at the forefront of safeguarding users’ privacy. While we had used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many health, consumer and government websites, we are proud that we took action to be an industry leader on privacy practices. We are glad to put this matter behind us so we can continue focusing on being a trusted source for Americans to find affordable and convenient healthcare.”