The FTC is going after GoodRx for selling users’ health data

GoodRx hasn’t been very good about your privacy. And now the Federal Trade Commission has issued an expensive prescription: a hefty fine and an agreement to implement various privacy protections.

If you’re one of the tens of millions of people who used GoodRx to find bargains on your drugs, the drug discount and price shopping website and app may have done a little more than you bargained for: It sent your sensitive health data to data brokers and tech companies like Meta and Google to use for advertising, according to the FTC.

The FTC announced on Wednesday that GoodRx agreed to pay a $1.5 million fine and take several steps to ensure it no longer shares health data for advertising purposes, obtains user consent to share health data for other reasons, and that it makes an effort to have the third parties with whom it previously shared data remove that data. The move shows how committed the FTC is to protecting people from digital privacy violations, even though America has no federal privacy laws that would make that job a lot easier. It also shows how leaky some of these services that we entrust with our most personal information can be.

The FTC alleges that GoodRx shared the names of medications users searched for on the app, which medications users redeemed GoodRx coupons for at pharmacies, and which conditions they used GoodRx’s telehealth platform to get treatment for. GoodRx is also accused of sending lists, including identifying information, of users who purchased certain drugs to Meta and then targeting those users with ads related to the conditions GoodRx knew they had.

“Digital health companies and mobile apps should not be allowed to monetize consumers’ highly sensitive and personally identifiable health information,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “The FTC is announcing that it will use all of its legal authority to protect the sensitive data of U.S. consumers from misuse and illegal exploitation.”

Some of GoodRx’s practices were first exposed in February 2020 by reports from Consumer Reports and Gizmodo, which described how user data was sent to third parties. GoodRx apologized at the time, said the data was not used to target ads, and implemented some privacy controls. That seemed to be the end of it, as GoodRx operates in a digital privacy gray area. While it can collect the same data as pharmacies, doctors and health insurance companies, in most cases it is not bound by the same health privacy laws, namely HIPAA, the Health Insurance Portability and Accountability Act. Even when HIPAA didn’t apply to GoodRx, the FTC says the company gave users the impression it did by placing a small “HIPAA” icon on its website.

Even entities covered by HIPAA seem to struggle to keep patient data from falling into the hands of data brokers and advertisers. But at least there’s a legal recourse if they break that law. However, HIPAA violations are not the purview of the FTC – they are the job of the Health and Human Services Department’s Office of Civil Rights.

When websites and apps collect and mishandle health data that isn’t covered by HIPAA, that can be a job for the FTC’s consumer protection department. When period tracker app Flo Health sent users’ fertility information to data brokers, despite promises it wouldn’t, the FTC went after the company for misleading users. So is the FTC in the middle of a lawsuit over unfair or deceptive acts to Kochava, a data broker accused by the agency of making personally identifiable and sensitive location data of people readily available that can cause significant harm, when those people have no idea their data is being collected or used in this way, much less. ​how to stop it.

With GoodRx, things are a little different, because the FTC uses a rule that has never been used before. The Health breach notification rule requires sellers of personal health records not covered by HIPAA to notify consumers if their data has been accessed by a third party without the consumer’s consent. It’s been on the books since 2009, but the FTC has never enforced it until now. The agency signaled that such a move would come in 2021, when it announced a warning health apps and connected devices that they must get their users’ consent before disclosing their health data to third parties.

This was both a clarification of the rule and a warning that the FTC was ready and willing to enforce it. Now that threat has been fulfilled for the first time. It probably won’t be the last, given that of FTC Chairman Lina Khan stated commitment to data privacy and the notoriously leaky nature of apps and websites. But it should prompt some of these companies to make an effort to make their users’ health data more secure or make it clearer to them how and why it is being shared with someone else, lest the hammer falls on them too.

GoodRx said in a statement that the settlement with the FTC related to an “old matter” that was “addressed nearly three years ago, before the FTC investigation began.” It says it entered into the settlement to avoid costly litigation and disagrees with how the FTC has applied the Health Breach rule.

“We disagree with the allegations made by the FTC and we do not admit wrongdoing,” GoodRx said. “[W]We had used vendor technologies to advertise in a manner that we believed complied with all applicable regulations and is still common practice on many health, consumer and government websites.

The FTC’s new order must be approved by a federal court before it takes effect. Assuming it is, the $1.5 million fine won’t kill GoodRx, what reported sales of $745.42 million in 2021, the most recent year for which that data is available. But it’s not nothing either; despite raking in nearly three-quarters of a billion dollars, GoodRx ended the year with a net loss of $25.25 million. There’s also the added cost of setting up all the compliance measures the FTC requires per order, as well as how much revenue GoodRx loses as a result of users deciding to take their business elsewhere because they don’t trust GoodRx to keep their data private.

Consumers also pay. For some of them, GoodRx released their most sensitive information when they were most vulnerable: looking for a way to get medicine they couldn’t afford otherwise. They may be less likely to use drug discount apps in the future now that they know that at least one of them has sent that data to Facebook.

Update, 12:10 p.m. ET: This story has been updated with GoodRx’s statement.