Santa Monica: In a one-of-a-kind execution, the Federal Trade Commission has fined $1.5 million on prescription drug discount and telehealth provider GoodRx Holdings Inc. to share the personal data of users health data with Facebook, Google and other third parties without your consent.
Under an agreement, based in California goodx also accepted that it will be prohibited from now on to share user health data with third parties for advertising purposes, the FTC saying. GoodRx did not admit wrongdoing, saying in a blog post that it settled “to avoid the time and expense of lengthy litigation.” The agreement is pending federal court approval.
Consumer protection advocates hailed Wednesday’s announcement as a potential game changer that could seriously curb a little-known phenomenon: the trafficking of sensitive health data by companies not strictly classified as health care providers.
“Digital health companies and mobile apps should not take advantage of consumers’ highly sensitive and personally identifiable health information,” Samuel Levine, chief of the FTC’s Bureau of Consumer Protection, said in a statement. “The FTC advises that it will use all its legal authority to protect the sensitive data of American consumers from misuse and illegal exploitation.”
The execution is the first under a 2009 law, the Health Breach Notification Rulewhich applies to providers of personal medical records and related providers not covered by HIPAA, the federal privacy rules that govern the health care industry,
It comes three years after Consumer Reports discovered that GoodRx was sharing people’s personal health information with more than 20 companies. “People told us that they never expected their confidential information to be shared with Google and Facebook,” Marta Tellado, president and CEO of Consumer Reports, said in a statement Wednesday. “This is a win for consumers and could have a profound effect on how our health information is kept private in the future.”
In a lawsuit filed on behalf of the FTC, Justice Department attorneys said GoodRx’s actions had “unfairly enriched” the company at the expense of users, many of whom are chronically ill, who could face “stigma, embarrassment or emotional distress,” as well as discrimination if the facts you shared were revealed.
GoodRx said the focus of the FTC’s concerns were “proactively addressed” nearly three years ago, before the FTC investigation began.
Justin Brookman, Consumer Reports’ director of technology policy, said he believed the FTC’s investigation began after his organization’s report on February 25, 2020. Before that, the government said, “GoodRx didn’t have enough formal policies, written or standard privacy or data sharing or compliance programs. And, even after GoodRx’s practices came to light, it failed to notify users that their health information had been disclosed without their authorization.”
Company spokeswoman Lauren Casparis said via email that GoodRx “used vendor technologies to advertise in a manner that we believe complies with all applicable regulations and remains common practice among many websites.”
Those technologies included embedded web beacons known as “pixels” and other data-gathering and tracking tools from companies such as Google and Facebook, the government said.
“They put pixels on your site,” Brookman of Consumer Reports said by phone. “They don’t have to do that.”
In a statement, Brookman said, “Healthcare apps and websites have been handing over our personal data for years without consequence. This case should be a turning point: companies now need to understand that sharing customer data without clear permission will lead to investigations and fines.” “
On its website, GoodRx says it has helped consumers save more than $45 billion since 2011.
The FTC said that more than 55 million consumers have visited GoodRx’s website or mobile apps since January 2017. It said the company collects personal and health information from its users and from pharmacy benefit managers, companies who administer prescription drug benefits, who confirm when one of your coupons has been used on a purchase.
The FTC said in a press release that GoodRx “misleadingly promised its users that it would never share personal health information with advertisers or other third parties” while sharing information about their prescriptions and health conditions with third-party advertising companies and platforms, including Facebook. , Google and Criteo. That process helped GoodRx target personalized ads on Facebook and Instagram and other platforms, the FTC said.
Other provisions of the proposed federal injunction require GoodRx to direct third parties with whom it shared consumer health data to delete it and notify consumers.
GoodRX spokeswoman Casparis said the company believes “the requirements detailed in the agreement will not have a material impact on our current or future business or operations.”