GoodRx’s mea culpa: Lessons for internet companies handling personal health data

In a response statement Friday, several days after the article was published, GoodRx confirmed an internal review revealed it was “not living up to [its] own standards” of privacy.

GoodRx uses third-party platforms like Facebook and Google to reach new customers and retarget users who visited its website in the past. It uses marketing company Braze to email or text users reminders about prescription refills.

However, unbeknownst to users (of which there are 15 million per month, according to the company website), the aforementioned companies until recently received the names of medications people were researching, along with other details that, when coupled with the troves of data at certain tech giants’ disposal, could lead to the de-anonymization of unique users’ personal health information, according to Consumer Reports. In the case of Facebook specifically, the Consumer Reports’ Digital Lab was able to confirm that sensitive information was being passed along.

On its face, GoodRx seems like a godsend. On the company’s app, consumers can research price comparisons and shop for discounts on prescription drugs not covered by their insurance. The company’s website emphasizes consumers can save up to 80 percent on their medications. The homepage specifically highlights savings on drugs treating depression, generalized anxiety, obsessive-compulsive disorder, post-traumatic stress disorder, and erectile dysfunction, among other sensitive conditions. These types of medications can be both prohibitively expensive and indispensable to users who rely upon them; in that regard, GoodRx’s mission to help consumers “get affordable and convenient healthcare” is an admirable one.

But the company’s missteps in protecting users’ personal health information prompted Friday’s mea culpa.

“A recent story in Consumer Reports … suggested that we were sharing more personal information with some third-party advertising platforms than we intended. Their feedback led us to re-examine our policies. In the course of our review, we found that in the case of Facebook advertising, we were not living up to our own standards. For this we are truly sorry, and we will do better,” the company stated.

One might assume—as many GoodRx users have—that because consumers entrust GoodRx with their personal health and pharmaceutical information, the internet company would fall under the purview of HIPAA (the Health Insurance Portability and Accountability Act). Not the case.

Many internet-based, direct-to-consumer companies in the business of handling personal health data elude the reaches of HIPAA, for they do not technically qualify as “covered entities” under the regulation. Consequently, companies like GoodRx can share sensitive data with other companies and oftentimes do.

Compliance Week looked into this same trend in the femtech industry, where fertility and period-tracking apps like Clue and many others also skirt applicability to HIPAA’s regulations. When CW reached out to Ida Tin, CEO of Clue, for her policies around data protection last fall, specifically inquiring how the company manages compliance around the General Data Protection Regulation, California Consumer Privacy Act (CCPA), and (should the situation ever arise) HIPAA, the company responded it was “going to be unable to answer [the] questions as neither Ida nor the data team [had] the capacity to answer them in any meaningful way.”

In the case of GoodRx, the company outlined five action steps it is now taking to enhance consumer data protection:

• No drug name or condition typed into the GoodRx search bar will be shared with Facebook, even in encrypted form;
• All web usage data shared with Google will be encrypted and audited according to strict privacy standards;
• Enhanced third-party auditing: The company pledges to audit their agreements with third-party service providers to ensure the highest standards of data privacy, “including HIPAA standards wherever appropriate”;
• The company is offering consumer protections required under the CCPA, such as opt-out and data deletion requests, to all users, not just California residents; and
• The company appointed a vice president of data privacy to oversee data privacy efforts; to coordinate efforts between engineering, marketing and other teams; and to strictly monitor the flow of data.

“We will continue to strictly regulate how information flows to our partners to make sure that our users’ privacy is protected in every case,” GoodRx stated. “We believe we can help consumers save money and continue to put their privacy first.”