GoodRx Holdings agreed to pay $1.5 million as part of a settlement reached with the Federal Trade Commission (FTC) addressing allegations the telemedicine and prescription drug discount provider shared personal health data with third parties for advertising purposes.
GoodRx must overhaul its user consent and data retention practices as conditions of the agreement announced Wednesday by the FTC. The agency’s proposed order, which it hailed as being the first of its kind, was filed by the Department of Justice and must be approved by a federal court before taking effect.
GoodRx was faulted for misrepresenting its compliance with the Health Insurance Portability and Accountability Act (HIPAA) in addition to allegedly monetizing personal health data by sharing the information with advertising platforms including Facebook and Google.
The details: GoodRx’s practices were brought to light when a nonprofit organization in February 2020 called out the company for sharing sensitive information—medication names, pharmacies where prescriptions were filled, and unique ID numbers tracking consumer behavior—with ad platforms. GoodRx responded then to the report by confirming an internal review revealed it was “not living up to [its] own standards” of privacy.
The company “did not have sufficient formal, written, or standard internal data sharing policies or procedures that governed how all types of health and personal information could be shared” at that time, the FTC alleged in its complaint. “Nor did it have sufficient or formal compliance programs for reviewing and approving all data sharing requests or third-party tracking tool integrations.”
Even after the practices, traced back to at least 2017 by the FTC, were exposed, the company “failed to notify users that their health information had been disclosed without their authorization,” the agency said, a violation of the Health Breach Notification Rule. The case marks the FTC’s first action alleging a violation of the rule.
“The settlement with the FTC focuses on an old issue that was proactively addressed almost three years ago, before the FTC inquiry began,” the company said in a blog post. “We do not agree with the FTC’s allegations, and we admit no wrongdoing.”
GoodRx said in response to the 2020 report it added new ways for users to protect their privacy, including an option to request the deletion of personal data. The company said it removed Facebook tracking pixels in place to relay IP addresses and URL information and that it never shared medical records.
Under the order, GoodRx must seek the deletion of the health data it shared with applicable third parties and is prohibited from future sharing for advertising purposes.