Founded in 2011, GoodRx is a widely used health app that seeks out coupons and discounts for medications. Some consumers find it to be a literal lifesaver, but they may also have been paying more of a price than they were aware of in terms of advertiser access to their health data. First accused of sharing data with companies like Facebook and Google in 2020, the company has now settled an ongoing Federal Trade Commission (FTC) case by agreeing to a $1.5 million fine and to permanently cease sharing patient data for advertising purposes.
The company admits no wrongdoing in the settlement, claiming that the health data it shared could not identify an individual user’s health condition. But some users had ads for their particular conditions appear to them on Facebook and Instagram while logged in to personal accounts, including sensitive conditions such as specific sexually transmitted diseases.
GoodRX ordered to end use of health data for advertising
GoodRX has millions of monthly users and tens of millions of overall subscribers, with its customers searching for more affordable prices on prescription medicines for a wide variety of conditions that most would prefer to keep private. The company was first accused of sharing health data with advertisers in a February 2020 Consumer Reports article that found the app was tied up with 20 different advertising firms including the marketing arms of Google and Facebook.
As the article notes, not only do patients often turn to GoodRX out of desperation over high prices for needed medications, but they are sometimes directed to it by well-meaning physicians. All of this was presumably without the knowledge that the company was sharing data with firms that build targeted advertising profiles, tying sensitive conditions to names and other elements of personal identification.
As a result of that research report, GoodRX announced that it would implement a means for users to delete their health data and that it would stop sharing data with Facebook. But the report also drew the attention of the FTC, and its ensuing investigation found that from 2017 to 2020 the company had provided Facebook with the contact information of people who had purchased medications so that the social media giant could advertise to them via their profiles.
GoodRX was also sharing data from its HeyDoctor telemedicine service, which it acquired in 2019. Users that had accessed the service’s STD testing component had their health data shared with advertisers, despite promises from the company that their personal conditions would never be identified by advertisers based on data shared by the app.
The company says that it is settling to avoid expensive and time-consuming litigation. GoodRX had a tough 2022 aside from the health data sharing charges, losing a good deal of its value when a major grocer (believed to be Kroger) began refusing its pharmacy discounts and ultimately laying off 16% of its workforce.
New FTC tool used to punish health companies found inappropriately sharing data
This will be the first fine brought using the FTC’s Health Breach Notification Rule, a 2009 policy that received revision in 2020 and an update in 2021. The rule was updated specifically to target health apps that collect sensitive data but manage to skirt HIPAA records handling requirements due to not being a health care provider. The rule puts strict notification requirements on apps that handle health data in the event of a breach. As this case demonstrates, sharing data with ad companies in violation of prior promises not to do so can constitute a breach. The FTC also took GoodRX to task for failing to appropriately limit third-party use of health data, misrepresenting HIPAA compliance and not having a written privacy policy or compliance program in place until 2020.
In addition to prohibiting further sharing of health data for advertising, the settlement requires GoodRX to obtain affirmative express consent when sharing data for any other legal purpose. The company must also develop a public data retention schedule, make an effort to have its third party partners delete the health data that was already shared, and develop a comprehensive privacy program.
Many different types of apps that process health data are facing a greater degree of scrutiny about how they monetize with digital advertising, from specialized demographic-based mental health counseling to those that work with fitness wearables. In the US, regulatory tools are slow to catch up with those that do not fall into the HIPAA “services provider” category. The Health Breach Notification Rule is one means of filling that gap; it has already been used once before, against the Flo Health period tracking app in 2021, but that prior case came to a settlement that had no fine and merely required the app to obtain affirmative consent before sharing data rather than forbidding it entirely.