Business Blog
First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices
The company name may be GoodRx, but it’s unlikely that “good” is the adjective consumers would use to describe the way the company violated its privacy promises by disclosing their personal health information to companies like Facebook and Google without authorization. How did GoodRx accomplish that? By using automatic “plug and play” tracking pixels and software development kits (SDKs) from Facebook, Google, and other companies that are designed to grab a substantial amount of consumer data and turn it over for advertising purposes. In the case of GoodRx, this included consumers’ personal and health information.
To settle the FTC’s first action alleging a violation of the Health Breach Notification Rule, GoodRx will pay a $1.5 million civil penalty. But there’s another first-of-its-kind provision in the proposed settlement sure to generate water cooler talk among app developers, privacy professionals, and others in the burgeoning health technology industry. Read on for details.
GoodRx runs a digital health platform where consumers can compare prescription drug prices and get prescription drug coupons. It also offers a paid monthly subscription service, GoodRx Gold, which claims to offer greater discounts and virtual telehealth visits through a product called GoodRx Care. GoodRx collects a substantial amount of personal data – including highly sensitive health information – from consumers and from pharmacy benefit managers, which are companies that manage prescription drug benefits, confirming when someone uses a GoodRx coupon to get a prescription.
Although the specific language has changed over the years, GoodRx has made numerous privacy promises to consumers. For example, in describing its use of third-party tracking tools, GoodRx assured people, “[W]e never provide advertisers or any other third parties any information that reveals a personal health condition or personal health information.” GoodRx also promised users that it “rarely shares” personal health information with third parties, and when it does, it “ensures that these third parties are bound to comply with federal standards as to how to treat ‘medical data’ that is linked with your name, contact information and other personal identifiers.” In addition, GoodRx stated it would share users’ personal information only for certain limited administrative functions – for example, “to provide services directly to users,” “to comply with the law or legal process,” “to act in an emergency to protect someone’s safety,” or “to handle customer requests.”
To use a phrase we’ve had to repeat with troubling frequency in recent blog posts, that’s what the company promised, but the FTC says what GoodRx was doing behind the scenes contradicted those soothing assurances. According to the complaint, beginning in at least 2017, GoodRx broke its privacy promises by sharing information about users’ prescription meds, health conditions, and personal information – like contact information and personal identifiers – with some of the biggest names in digital advertising.
You’ll want to read the complaint for details about how the FTC says GoodRx broke its privacy promises, but here’s the shorthand version. In building its website and mobile app, GoodRx incorporated third-party trackers from companies like Facebook, Google, and Criteo, typically in the form of SDKs or automated web beacons called tracking pixels. Despite what GoodRx had told consumers, the trackers sent their information back to those businesses for marketing and other purposes.
For example, GoodRx configured a Google tracking pixel on its website and an SDK on its app to share with Google information that included the name of the drug for which a user had received a coupon, the health condition the drug treats, and the user’s phone number, email, zip code, and IP address. In addition, the Google Android and iOS SDKs shared users’ latitude and longitude coordinates and unique advertising IDs, which can be used to target individuals with ads.
The FTC says GoodRx configured a Facebook pixel on certain of its sites to send Facebook the same kind of information – and even more. According to the complaint, GoodRx was able to identify customers who had Facebook and Instagram accounts and then used their personal and health information to target them with ads on that platform. For example, people who accessed GoodRx coupons for, say, Viagra, would see ads for erectile dysfunction medication on their Facebook or Instagram page ads. Similarly, people who had used GoodRx’s telehealth services to get treatment for sexually transmitted diseases would get ads for STD testing services. In some cases, GoodRx disclosed to Facebook the medication purchase data it receives from pharmacy benefit managers, and also used the data to target ads.
Image
What was the real-world impact of GoodRx’s practices? By using Facebook’s ad targeting platform, GoodRx designed campaigns that targeted customers with ads based on their health information. For example, if a customer had revealed a possible erectile dysfunction issue to GoodRx, they might have seen an ad on Facebook like Exhibit A in the FTC complaint.
The complaint charges GoodRx with violating Section 5 of the FTC Act and the Health Breach Notification Rule. According to the lawsuit, GoodRx violated Section 5 by – among other things – telling consumers it wouldn’t disclose personal health information to advertisers or other third parties when the company went ahead and did just that. The FTC says GoodRx’s promise that it would disclose users’ personal information only for limited purposes was also false or deceptive because GoodRx disclosed users’ names, addresses, email addresses, phone numbers, and other personal identifiers to advertisers for marketing purposes. The complaint also alleges that GoodRx deceptively promised that it would limit how third parties that received personal health information could use that information, but failed to do so. As a result, companies like Facebook, Google, and Criteo had free rein to do what they wanted with the information for their own business purposes, including for advertising.
In addition, the FTC alleges that GoodRx’s failure to prevent the unauthorized disclosure of health information was an unfair practice, as was its failure to get consumers’ consent before using and disclosing health information for advertising purposes.
The complaint also charges that GoodRx is a “vendor of personal health records “subject to the Health Breach Notification Rule. Consumers can use the company’s services to keep track of their health information, including details about their prescription drug history. The FTC says GoodRx violated the Rule by failing to notify customers, the FTC, and the media about the company’s unauthorized disclosure of personally identifiable health information to Facebook, Google, Criteo, and other companies.
In addition to a $1.5 million civil penalty for the Rule violation, the proposed order includes a remedy seen for the first time in an FTC case. Simply put, the order imposes a flat-out prohibition on GoodRx sharing user health data with applicable third parties for advertising purposes. It’s a novel remedy, but one the FTC believes is crafted to protect consumers in the future from similar illegal conduct. What’s more, GoodRx must get users’ consent before sharing their health data with applicable third parties for any other purpose, and must notify consumers of its unauthorized sharing with Facebook and others.
What can your company take from the law enforcement action against GoodRx?
Tell the truth about how you intend to use customers’ health data. Be transparent about your practices, provide a proper just-in-time explanation, and get consumers’ express affirmative consent before collecting, using, or sharing health information. But promises aren’t enough. Companies should have a program in place to ensure their practices live up to those promises.
If sensitive health data is part of your business, understand that you’ve upped the ante on ensuring its security and privacy. Like a truck hauling flammable material on the highway, companies that collect sensitive consumer data should exercise particular caution. That includes maintaining and implementing appropriate policies to protect that information from unauthorized disclosure, collecting only data for which you have a legitimate business need, training your staff to handle it with care when it’s in your possession, and disposing of it securely when you no longer have a good reason to maintain it.
Set contractual boundaries on how third parties use information obtained from your company. Consider adding provisions in contracts with third parties that touch on how data is shared. It might be tempting to gloss over what seem like “click through” agreements. But the wiser course of business is to harmonize all agreements about consumer data you reach with other companies with the privacy promises you’ve made to consumers and your actual practices. In addition, have service provider agreements in place that contractually limit how those providers can use consumer data.
Monitor the data flow to all third parties your site or app may be connected to via an SDK or other interface. Ad tech tools can be easy to use and integrate into and app or website – perhaps as simple as toggling a button – but they also can grease the wheels for the disclosure of highly sensitive information. In fact, the companies behind those tools often profit from collecting as much user data as possible for the purpose of targeted advertising. It’s your responsibility to make sure people understand up front how you to intend to use their personal information, and even then, don’t use ad tech tools unless you understand exactly how they work and are prepared to configure them appropriately. Give app events anonymous names that don’t convey sensitive information. And never violate your own privacy promises.
Are you covered by the Health Breach Notification Rule? Consider this a clarion call for compliance. The FTC’s Health Privacy site is a good place to start. Consult Complying with FTC’s Health Breach Notification Rule for the fundamentals. Next on your reading list: the 2021 Statement of the Commission on Breaches by Health Apps and Other Connected Devices. Don’t miss this key sentence:
[T]he Commission reminds entities offering services covered by the Rule that a “breach” is not limited to cybersecurity intrusions or nefarious behavior. Incidents of unauthorized access, including sharing of covered information without an individual’s authorization, triggers notification obligations under the Rule.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.
Most folks use a computer I this day and age. If you want general info and type in a search your information is plastered on the internet. Or you are targeted with disgusting advertisements from animals products companies, while you are reading a recipe. It's all about the Dollar, how much they can get and where they can go to get the bucks. What does a consumer have to do to protect their rights from unscrupulous products advertisements.
In reply to Most folks use a computer I… by Carrol Lindsay
Useful phrase
In reply to Most folks use a computer I… by Carrol Lindsay
100% agree! Well said Carrol!
I have to wonder, how do class action law-suits get started? Is this a possibility? Being told about this issue is one thing, the company being fined is swell, but this 76 year old cutting meds in half because of costs ... not too impressed!
In reply to 100% agree! Well said Carrol… by Priscilla Daneau
Full agreement. Wish I was in a position to start a class action suit. Where is Erin Brockovich when you need her? Seriously, countless people have been affected by this breach. I worked as an RN for 30+ years. I could have, (and, possibly, would have), been fired and fined for even mentioning a patient’s name outside of the appropriate setting.
In reply to Most folks use a computer I… by Carrol Lindsay
I confirm. I agree with told all above. We can communicate on this theme.
It is ridiculous to think that a penalty amounting to .8% of quarterly revenues is going to do anything but encourage tech companies to continue to steal personal data.
How about the FTC getting remedy for the individuals like me whose information broke HIPPA laws. So basically, the government gets a bonus on the backs of all those whose private information was illegally used.
In reply to How about the FTC getting… by Deann Fahey
I agree with Mr. Fahey, why don’t the people affected by this breach of trust get compensation?
Makes no sense to me that the federal government collects, and those of us who are trying to find out who knows what are left out in the cold
In reply to I agree with Mr. Fahey, why… by Ginger Simon
The settlement requires GoodRX to pay a civil penalty, which by law must go to the U.S. Treasury.
As a result of the FTC’s enforcement action against the company, GoodRX also must notify affected consumers about what happened and about the settlement with the FTC. The notice also provides contact information for reaching GoodRx with any questions.
In reply to The settlement requires… by FTC Staff
PS I didn't get an email from GoodRx?
In reply to The settlement requires… by FTC Staff
In my humble opinion, the FTC appears to be a consumer’s first line of defense. The information uncovered doesn’t drop in their laps, unless a whistleblower is involved. While unaware of details, there has to be intelligence operatives employed at the FTC whose sole responsibility is to monitor, investigate and present findings of nefarious activities of who knows how many companies; prior to filing solid evidence to superiors. Finding a healthcare insurance company guilty of wrongdoing, and fining them is obviously a complicated process, and most importantly implemented in order to protect consumers. I am unsure if the FTC has the authority to start a civil lawsuit. I greatly appreciate being informed of this serious issue.
In reply to How about the FTC getting… by Deann Fahey
That's the first thing I thought of, too! Shouldn't we get some kind of compensation for being out-right lied to from GoodRx? Ridiculous.
In reply to That's the first thing I… by E. Ross
I Agree With E. Ross. Seems We Are The Victims And Should Out Right Be Compensated. The Damage To Folks Whose Information Was Stolen May Not Show Up Now. But, However, It May Show Up Later On In Our Lives. Then What? We Matter And Should Be Compensated For Their Actions.
~RC
In reply to How about the FTC getting… by Deann Fahey
I was thinking the same thing.
In reply to How about the FTC getting… by Deann Fahey
Excellent point Deann! How can we make a claim against the company? By the way, the 1.5 million dollar penalty is a joke for such an outrageous HIPPA violation!
In reply to Excellent point Deann! How… by J masters
It’s a very good point and the only way that we can protect ourselves and spine class action lawsuit. I have been receiving emails from very underhanded companies but no personal information about me down to what medication I take. It is very uncomfortable knowing that companies from overseas and just random companies are writing emails that are being sent to junk with the names of my specific medication’s and that it’s come from good RX as no one else knew about them as I don’t have insurance so only my pharmacy and Good RX are privy to that information other than my Doctor Who would not be giving out that. We should be doing a class action lawsuit against them it’s not right that the government be receiving money and not the people that were actually victimized.
In reply to How about the FTC getting… by Deann Fahey
That’s exactly what I was going to say! The government gets paid but we are the ones who’ve been violated! WHERE IS OUR SETTLEMENT?!
In reply to How about the FTC getting… by Deann Fahey
Where is the remedy amount to the consumers of their information being illegally used.
In reply to How about the FTC getting… by Deann Fahey
Very sad! Cause I’m a victim that is not getting paid .
In reply to How about the FTC getting… by Deann Fahey
The settlement requires the company to pay a civil penalty, which by law must go to the U.S. Treasury. As a result of the FTC’s enforcement action against the company, GoodRX also must notify affected consumers about what happened and about the settlement with the FTC. The notice also provides contact information for reaching GoodRx with any questions.
In reply to The settlement requires the… by FTC Staff
Have any of these readers received contact from Good Rx because I certainly have not. I don’t believe in the ‘no news is good news philosophy’ so please don’t appease me. I’ve called them and still waiting for a return call! As a RN I take HIPAA violations VERY SERIOUSLY!
In reply to Have any of these readers… by Marian
I also have not received any type of notification and I have been victimized by this. I take it very seriously as well just like Marian. By the way a class action should be arranged by the people who have been victimized as we are the ones that deserve the money. The government getting the money is an absolute joke as we are the ones affected and we are the ones that have lost our privacy. Lord only knows who and what information has been given out everywhere as I am getting emails every day with the specific names of my medication‘s going to junk email with them soliciting various things then I do not even read as they’re from overseas companies and no one knows what medicine I take other than my pharmacy and good RX as I don’t have insurance and my doctor would not be giving that information out.
In reply to How about the FTC getting… by Deann Fahey
Really. When is the class action lawsuit going to start for the people whose personal information was violated already? We want our piece of the pie. Can the FTC start this class action lawsuit too? Please add me, I have a GoodRX card.
In reply to Really. When is the class… by Joanne Mullins
Exactly Joanne. … everyone who’s information was shared should of been involved in this lawsuit. It’s frustrating that the only thing Goodrx had to do was to let us know🤦🏻♀️. Then the FTC is responding with the same message to people. They say there’s info to ask questions for Goodrx however they’ve not answered anything I’ve asked. This is ridiculous
So what happens to us that all are information was shared we are just notified about it?
In reply to So what happens to us that… by LMS
The settlement requires GoodRX to pay a civil penalty, which by law must go to the U.S. Treasury. As a result of the FTC’s enforcement action against the company, GoodRX also must notify affected consumers about what happened and about the settlement with the FTC. The notice also provides contact information for reaching GoodRx with any questions.
In reply to The settlement requires… by FTC Staff
Yes, I got my email from GoodRx telling me that my info was shared with Facebook and other un-named third parties. It really doesn't say much more than this:
"The Federal Trade Commission alleges we broke the law by sharing your health information without your permission. To resolve the case, we have agreed to an FTC order requiring that:
We’ll tell applicable third parties (like Facebook) who received that information to delete it.
We’ll never share your health information with applicable third parties (like Facebook) for advertising purposes.
We won’t share your health information with applicable third parties (like Facebook) for other purposes, unless we get your permission first.
We’ll put in place a comprehensive privacy program with heightened procedures and controls to protect your personal and health information. An independent auditor will review our program to make sure we’re protecting your information. These audits will happen every two years for 20 years."
A lot of good that does me or any of us whose information was leaked. Like Facebook cares enough about any of this or any of us that they will delete our information! It's not even an apology. So how do we take part in this settlement?
In reply to Yes, I got my email from… by Meg M
I did not even get the email. Way to go GoodRx.
With everything I’m reading the FTC gets compensated 1.5mil while we were the ones that were compromised. Again the consumer gets the short end of the stick only in this case we don’t even get a sliver. 🤦🏼♀️🤬
In reply to With everything I’m reading… by Claire Sickler
The settlement requires GoodRX to pay a civil penalty, which by law must go to the U.S. Treasury.
In reply to The settlement requires… by FTC Staff
I want to know SPECIFICALLY if MY information was shared. I’ve been a gold card member and have used the site for many years and for many medications. I am outraged that this occurred/is occurring without any notification from GoodRx or anyone.
We should be compensated somehow and not by a reply from you saying that pay a fine to whoever and any questions that you have regarding this issue be addressed here…..
I am outraged. We have every right to absolute confidentiality with regard to our health care, ever heard of HIPPA GoodRx? And to not only share my information with health related companies, but Facebook, Google, and other social media? What the hell were they thinking? It boils down to pure greed - they don't "share" our information, they SELL it. The action by the FTC is a slap on the wrist. It would be worth it to GoodRx to continue this practice and pay the fines. If the company is so dishonest to be selling my most private information, a little fine by the FTC isn't going to stop them.
As somebody stated before me, why am I unable to receive at least SOME compensation for the money they made off of me? I looked and looked for the claim form I needed to fill out. There isn't one, and the releases say nothing about me even having participation in it. These bulletins are information-only.
What good and how serious is HIPPA if this happens and basically the victims are told GoodRx committed this horrible violation of not only OUR privacy, but also of federal law. And who gets the "fine"? The government. Victimized again.
In reply to I am outraged. We have every… by Deb
The settlement requires GoodRX to pay a civil penalty, which by law must go to the U.S. Treasury.
As a result of the FTC’s enforcement action against the company, GoodRX also must notify affected consumers about what happened and about the settlement with the FTC. The notice also provides contact information for reaching GoodRx with any questions.
In reply to The settlement requires… by FTC Staff
An automated policy response, "The settlement requires GoodRX..." is as much an insult as our victims' compensation going to a non-victimized government entity. GoodRx pays the government for violating my rights, while whoever paid for my private information now sells it to someone else. Period.
My question is: Since GoodRX reached a settlement for their crime, are they now protected (double jeopardy) from an individual or class-0action lawsuit?
In reply to The settlement requires… by FTC Staff
Why are the consumers that had their info stolen and shared not being compensated by GoodRx
In reply to I am outraged. We have every… by Deb
It is also scary because that information is going on the dark web as I have seen and it’s been proven from emails that I’ve been getting regarding medicine that I take that no one knows about except my pharmacy and good RX. I don’t have insurance so they sold the information and it’s on the dark web and the FTC gets the money for our personal information being compromised. Thought they were fighting for us I didn’t know they were fighting to get the money for themselves. We need to collectively be pursuing a class action lawsuit so if there is a lawyer out there please start a class action lawsuit against GoodRx for the violation of our rights and our data and information it is very dangerous to have that information being out there. #classaction #goodrx
I and everybody that used GOODRx are the injured parties, not the Federal Government. Why should they get the penalties and not us!!!!
So. the government collects the 1.5 mil penalty and the injured parties receive zip, zero, nothing? What a ripoff!
In reply to So. the government collects… by T. Erickson
The settlement requires GoodRX to pay a civil penalty, which by law must go to the U.S. Treasury.
As a result of the FTC’s enforcement action against the company, GoodRX also must notify affected consumers about what happened and about the settlement with the FTC. The notice also provides contact information for reaching GoodRx with any questions.
In reply to The settlement requires… by FTC Staff
What specifically will the U.S. Treasury do with the 1.5 million settlement from GoodRx?
In reply to So. the government collects… by T. Erickson
I agree with previous comments about how the settlement goes to the government and those of us victimized get nothing as far as compensation for the breach of our health information. What’s wrong with this picture? 🤔🤦♀️
In reply to I agree with previous… by Marty
so we start a class action against FTC
In reply to I agree with previous… by Marty
I agree with everyone else ! This is so wrong on so many levels! This is exactly why we "the people that was lied to and took advantage of" should get some kind of compensation instead of the government! It don't matter that it was our information that was sold to these social media apps without our permission! I guess that's why my mom always said "The rich get richer and the poor only get poorer"!! Why is there nothing we can do?? This is such a a shame !! I hope that our money goes to good use since we don't get a single penny! 😡🤬😤
In reply to I agree with previous… by Marty
I totally agree, we get zero and the government gets 1.5 million.. just shows that this really doesn't matter about our health information, just boils down to them getting the money and pretending like they care about us.. the REAL VICTIMS IN THIS MATTER!!
In reply to I totally agree, we get zero… by Teresa
Another time when the consumer has absolutely no “say” in anything but the government benefits at our expense??? How wrong and sad!!!
As many other have commented, what about the consumers' remedy? I hope a good law firm files a class action lawsuit because obviously the FTC won't.
Good rx should be held responsible.I do everything in my power to keep all my information protected.
I wouldn't have used GoodRx if my medicare medication plan wasn't so expensive.
I knew it wasn't confidential from reading it was associated with Google. But hard to pay $400 a month for generic medication through medicare