More like BadRx.
GoodRx has not been very good at your privacy. And now the Federal Trade Commission has written an expensive prescription: a hefty fine and an agreement to implement various privacy protections.
If you’re one of the tens of millions of people who used GoodRx to find bargains on your medications, the drug discount and price-shopping website and app might have done a little more than you bargained for: It sent your sensitive health data to data brokers as well as tech companies like Meta and Google to use for advertising, according to the FTC.
The FTC announced on Wednesday that GoodRx has agreed to pay a $1.5 million fine and take various steps to ensure that it no longer shares health data for advertising purposes, that it obtains user consent to share health data for other reasons, and that it makes an effort to get the third parties with whom it previously shared data to delete that data. The move shows how committed the FTC is to protecting people from digital privacy violations, even as America lacks federal privacy laws that would make that job a lot easier. It also shows just how leaky some of these services, which we entrust with our most private information, can be.
The FTC alleges that GoodRx shared the names of medications users were looking for on the app, which medications users redeemed GoodRx coupons for at pharmacies, and which conditions they were using GoodRx’s telehealth platform to get treatment for. GoodRx is also accused of sending lists, including identifying information, of users who purchased certain medications to Meta to then target those users with ads related to the conditions GoodRx knew they had.
“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
GoodRx did not immediately respond to a request for comment.
Some of GoodRx’s practices were first exposed in February 2020 by reports from Consumer Reports and Gizmodo, which detailed how user data was being sent to third parties. At the time, GoodRx apologized, said the data wasn’t used to target ads, and implemented some privacy controls. That seemed to be the end of it, as GoodRx operates in a digital privacy gray area. Though it may collect the same data that pharmacies, doctors, and health insurance companies do, in most cases it’s not beholden to the same health privacy laws — namely, HIPAA, the Health Insurance Portability and Accountability Act. Even when HIPAA didn’t apply to GoodRx, the FTC says that the company gave users the impression that it did by putting a little “HIPAA” icon on its website.
Even entities that are covered by HIPAA seem to have trouble protecting patient information from falling into the hands of data brokers and advertisers. But at least there’s some legal recourse if they violate that law. HIPAA violations aren’t under the FTC’s purview, however — they’re the job of the Health and Human Services Department’s Office of Civil Rights.
When websites and apps collect and mismanage health data that isn’t covered by HIPAA, that might be a job for the FTC’s consumer protection arm. When the period tracker app Flo Health sent users’ fertility information to data brokers despite promises that it wouldn’t, the FTC went after the company for deceiving users. The FTC is also in the midst of an unfair or deceptive acts lawsuit against Kochava, a data broker that the agency has accused of making people’s personally identifiable and sensitive location data that could cause substantial harm easily available, while those people have no way of knowing that their data is being collected or used this way, let alone how to stop it.
With GoodRx, things are a little different, as the FTC is using a rule it has never invoked before. The Health Breach Notification Rule requires vendors of personal health records that aren’t covered by HIPAA to notify consumers if their data has been accessed by a third party without consumers’ authorization. It’s been on the books since 2009, but the FTC never enforced it until now. The agency signaled a move like this would be coming in 2021, when it issued a warning to health apps and connected devices that they must get their users’ permission before disclosing their health data to third parties.
This was both a clarification of the rule and a warning that the FTC was ready and willing to enforce it. Now it’s made good on that threat for the first time. It likely won’t be the last, given FTC Chair Lina Khan’s stated commitment to data privacy and the notoriously leaky nature of apps and websites. But it should prompt some of these companies to make an effort to either better secure their users’ health data or make it more clear to them how and why it’s being shared with someone else, lest the hammer come down on them, too.
The FTC’s new order has to be approved by a federal court before it goes into effect. Assuming it is, the $1.5 million fine won’t kill GoodRx, which reported revenue of $745.42 million in 2021, the most recent year for which that data is available. But it’s not nothing, either; despite pulling in almost three-quarters of a billion dollars, GoodRx ended the year with a net loss of $25.25 million. There are also the added costs of setting up all the compliance measures the FTC requires per the order, as well as however much revenue GoodRx loses as a result of users deciding to take their business elsewhere because they don’t trust GoodRx to keep their data private.
Consumers pay, too. For some of them, GoodRx disclosed their most sensitive information when they were at their most vulnerable: searching for a way to get medication they otherwise couldn’t afford. They might not be so quick to use drug discount apps in the future now that they know at least one of them sent that data to Facebook.