Consumer-focused
digital
healthcare
platform
GoodRx
failed
to
notify
users
that
it
sold
their
personal
health
information
to
Google,
Facebook
and
other
tech
companies,
the
Department
of
Justice,
acting
on
behalf
of
the
Federal
Trade
Commission
(FTC)
alleged
on
Wednesday.
To
settle
the
case,
GoodRx
agreed
to
pay
a
$1.5
million
penalty
for
failing
to
report
its
leakage
of
user
data
to
third
parties,
but
did
not
admit
to
wrongdoing.
The
settlement—which
must
be
approved
by
the
federal
court
before
it
goes
into
effect—
bans
GoodRx
from
sharing
user
data
with
advertisers
and
requires
the
company
to
direct
third
parties
to
delete
the
user
data
it
shared
with
them.
In
the
complaint,
the
FTC
claimed
that
GoodRx
violated
the
FTC
Act
and
failed
to
honor
its
privacy
policies.
More
than
55
million
people
have
visited
GoodRx’s
website
and
mobile
apps
since
January
2017,
and
the
company
regularly
collects
personal
and
health
information
about
these
users.
This
information
is
gathered
from
the
users
themselves
as
well
as
from
pharmacy
benefit
managers,
which
let
the
company
know
when
a
patient
purchases
a
medication
using
a
GoodRx
coupon.
GoodRx
promised
its
users
that
it
would
only
share
their
personal
information
with
third
parties
for
limited
purposes.
The
company
also
told
its
users
it
would
restrict
third
parties’
use
of
such
information,
and
it
promised
to
never
share
users’
health
information
with
advertisers
or
other
third
parties,
the
FTC
said.
The
complaint
asserted
that
GoodRx
“repeatedly
violated
these
promises”
by
sharing
users’
information
with
advertising
companies
such
as
Google,
Facebook
and
Criteo,
as
well
other
third
party
tech
platforms
like
Branch
and
Twilio.
The
company
shared
its
users’
prescriptions,
health
conditions,
contact
information
and
mobile
advertising
IDs
with
these
third
parties
without
notifying
its
users
or
obtaining
their
consent,
according
to
the
complaint.
GoodRx
also
used
the
data
that
it
shared
with
Facebook
to
target
GoodRx
users
with
personalized
ads
on
Facebook
and
Instagram,
the
FTC
alleged.
These
ads
were
tailored
to
users’
individual
health
conditions.
In
its
complaint,
the
FTC
cited
an
example
from
2019
in
which
GoodRx
compiled
lists
of
its
users
who
had
bought
particular
medications,
such
as
those
treating
heart
disease
and
blood
pressure.
GoodRx
then
uploaded
these
users’
email
addresses,
phone
numbers
and
mobile
advertising
IDs
to
Facebook
so
the
tech
giant
could
identify
their
profiles
and
target
them
with
healthcare
advertisements,
the
FTC
claimed.
The
complaint
also
claimed
that
GoodRx
shared
user
data
with
third
parties
so
they
could
improve
their
own
operations.
For
example,
GoodRx
would
allow
third
parties
to
use
the
user
data
it
shared
with
them
for
research
and
development
or
to
improve
their
advertising
strategy,
the
FTC
alleged.
The
FTC’s
order
against
GoodRx
is
the
first
enforcement
action
the
agency
has
exercised
for
its
Health
Breach
Notification
Rule,
which
requires
vendors
of
personal
health
records
to
notify
users
and
the
FTC
when
data
is
being
shared
without
users’
consent
or
knowledge.
GoodRx
denied
wrongdoing
in
a
statement
posted
to
its
website
on
the
same
day
the
FTC
issued
its
complaint.
“We
do
not
agree
with
the
FTC’s
allegations
and
we
admit
no
wrongdoing.
Entering
into
the
settlement
allows
us
to
avoid
the
time
and
expense
of
protracted
litigation.
We
believe
that
the
requirements
detailed
in
the
settlement
will
have
no
material
impact
on
our
business
or
on
our
current
or
future
operations,”
GoodRx
said.
Photo:
marchmeena29,
Getty
Images