FTC Fines GoodRx $1.5M for Sharing Health Data With Facebook, Google

What does it mean for CIOs? In this first-known action for violation of the Health Breach Notification Rule, the FTC sets precedent for how a company's definition of 'business' may legally be called a 'breach.'

Brian T. Horowitz, Contributing Reporter

February 2, 2023

7 Min Read
GoodRX logo and Buy and Sell on a smartphone screen
In this photo illustration the stock trading graph of GoodRx Holdings seen on a smartphone screen. SOPA Images Limited / Alamy Stock Photo

On Feb. 1 the Federal Trade Commission announced a proposed settlement with drug discount and telehealth provider GoodRx, in which the company must pay a $1.5 million civil penalty for violating the Health Breach Notification Rule (HBNR). The agreement between the FTC and GoodRx is pending approval by a federal court.

GoodRx is a free healthcare discount resource that helps consumers find pharmacies offering the least expensive options for prescriptions.

The FTC’s complaint stated that GoodRx violated the FTC Act by sharing sensitive personal health information with advertising companies and platforms and not reporting “unauthorized disclosures” as required by the HBNR.

“We do not agree with the FTC’s allegations and we admit no wrongdoing,” GoodRx stated in a press release. “Entering into the settlement allows us to avoid the time and expense of protracted litigation.”

The federal government’s order is the first-known action against a company for violating the HBNR, which requires personal health record vendors and other organizations to notify consumers if they have improperly shared unsecured information. The FTC also said GoodRx “misrepresented” its compliance with the Health Insurance Portability and Accountability (HIPAA) by placing a seal on its telehealth website. However, GoodRx says it removed the old seal from the site as part of its integration of the telehealth business, which it acquired in 2019.

The company says it has saved consumers about $45 billion in medical costs. It offers a prescription discount card as well as a price-comparison tool to save on medication. Patients can use the discount cards in addition to or instead of insurance. GoodRx also offers a telehealth service for $19 with a Gold membership and starting at $49 without a membership.

An Eye on MarTech Practices

In addition to announcing the proposed penalty, the FTC said GoodRx falsely reported that it complied with Digital Advertising Alliance principles, which require companies to get consent before using health information for advertising. The DAA is a nonprofit organization that established privacy practices around transparency and control of data across multiple sites and applications.

Under the settlement, the FTC would bar GoodRx from participating in what it calls deceptive practices such as dark patterns, which are “manipulative” ways to seek users’ content to share data, according to the proposed order. GoodRx must now limit the length of time it will store users’ personal and health information. The FTC will also require GoodRx to ask third parties to delete consumer health data they share with the drug discount company.

The FTC says that in August 2019 GoodRx uploaded sensitive data to Facebook, including the email addresses, phone numbers, and mobile advertising IDs of users who purchased heart disease and blood pressure medications. The company then used this information to send targeted advertisements to these consumers, according to the FTC.

GoodRx says it made some adjustments close to three years prior, due to an early FTC inquiry.

“While we had used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many health, consumer, and government websites, we are proud that we took action to be an industry leader on privacy practices,” GoodRx stated in its response.

The HBNR and Data Privacy

The FTC reported that GoodRx violated the HBNR because it didn’t provide notice to consumers, the FTC, and the media that it had provided “individually identifiable” health information to Branch, Criteo, Facebook, Google, and Twilio. An FTC policy statement in September 2021 notified health applications and similar businesses that collection or use of consumers’ health information must comply with the HBNR.

Citing the HBNR in its decision was an interesting approach that could set a precedent, according to Shahid Shah, a digital health/life sciences entrepreneur and publisher of Medigy Innovation Network, a crowdsourced peer-to-peer community of clinicians, patients, developers and healthcare vendors.

“This wasn’t easy to do internally at the FTC but now does have a small precedent-setting effect,” Shah told InformationWeek. “I am surprised by the FTC finding because, while the action is necessary, I did not think they would be able to find a direct link from internal GoodRx data to external sale of patient information and tie it so creatively to a ‘breach notification.’ Typically, when something is not plain letter of the law, government agencies find it difficult to ‘do the right thing.’ In this case, I think they did the right thing and the fines were low enough to make a statement but not punish GoodRx too much as the first enforcement action.”

Data breaches are often considered to be carried out by hackers and cybercriminals, but in this case, by citing the HBNR, the FTC is using data breach to refer to “non-rogue strategic actions like selling or sharing patient data,” Shah noted.

“With this settlement and no lawsuit to determine otherwise, the FTC’s new definition of ‘breach’ will be used to find and fine the same behavior at other companies,” Shah said.

Following the overturning of Roe vs. Wade by the Supreme Court in 2022, healthcare organizations face added pressure to maintain data privacy for sensitive conditions. Customers use GoodRx to save on medication for everything from birth control to bipolar disorder.

GoodRx’s Use of Meta Pixel in Question

The fine stems from the use of Meta Pixel on its GoodRx and GoodRx Gold sites. The digital health company shared IP addresses and web page URL information for content, according to GoodRx’s response.

“Any sharing with vendors was done with confidentiality provisions in place and to our knowledge, those vendors did not leak or otherwise re-share the information,” GoodRx said in a blog post. The company added that it did not share medical records.

“We used Facebook tracking pixels to advertise in a way that we feel was compliant with regulations and that remains common practice for many websites,” GoodRx stated. “We do not agree with the assertion that this was a violation of the HBNR.”

GoodRx also said that advertising tracking pixels are commonly used by US government websites, insurance companies, hospitals, and other organizations. In fact, several healthcare organizations have recently reported leaking personal health information via tracking pixels. Advocate Aurora Health's data exposure was estimated to impact up to 3 million individuals.

The FTC warned against misuse of health data for financial gain.

“Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”

In the meantime, GoodRx doesn’t expect the FTC settlement to impact its business now or in the future and wanted to move forward.

“Given that the settlement won’t require any significant changes in our current practices or products, we decided it was best to put this matter behind us,” GoodRx said in its post.

What’s Next for Healthcare Data Privacy?

The FTC may crack down harder on other companies in the future that violate data privacy laws, Shah noted.

“I think it was a reasonable settlement for the first enforcement action, but I think they will not be so generous with future offenders,” Shah said.

To protect against unintended data breaches, IT leaders will need to pay more attention to data lineage, including tracking where patient data is being packaged, shared or sold to avoid disputes that can become lawsuits, unlike the GoodRx settlement, according to Shah. He noted that this type of strategic planning was not something IT leaders usually had in their wheelhouse before.

“Now IT leaders will need to be more involved in reclassifying the ‘inappropriate use of patient data’ by their own bosses as a potential breach under HBNR,” Shah said.

What to Read Next:

How a Marketing Tool is Becoming the Healthcare Industry's Security Nightmare

The Companies Leading Privacy-Enabling Tech

The Top 5 Data Privacy Penalties Post-GDPR

About the Author(s)

Brian T. Horowitz

Contributing Reporter

Brian T. Horowitz is a technology writer and editor based in New York City. He started his career at Computer Shopper in 1996 when the magazine was more than 900 pages per month. Since then, his work has appeared in outlets that include eWEEK, Fast Company, Fierce Healthcare, Forbes, Health Data Management, IEEE Spectrum, Men’s Fitness, PCMag, Scientific American and USA Weekend. Brian is a graduate of Hofstra University. Follow him on Twitter: @bthorowitz.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights