NORFOLK, Va. - Medical information is some of the most sensitive information people have, yet the Federal Trade Commission (FTC) said, for years, a major company was sharing it with advertisers for their own gain.
This month, the FTC filed a complaint against GoodRx for "failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies."
Federal regulators said the telehealth and prescription drug discount provider promised users they wouldn't share their personal health information but did anyway.
According to the FTC, this is a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC. The organization said, "GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule."
The report specifically noted that GoodRx:
- Shared personal health information with Facebook, Google, Criteo, and Others
- Used Personal Health Information to Target its Users with Ads
- Failed to Limit Third-Party Use of Personal Health Information
- Misrepresented its HIPAA Compliance
- Failed to Implement Policies to Protect Personal Health Information
Herb Weisbaum, consumer expert and Contributing Editor at ConsumersCheckbook.org, said this case is about more than just one company. He said the FTC is sending a message and "making an example" of GoodRx.
"The fine $1.5 million isn't all that big, but the ramifications are. If this settlement is approved by the court, GoodRx will be banned from sharing its users' information with third-party advertisers. [They're sending the message], if you collect this information and share it with other companies without permission, we might decide to sue you," Weisbaum said.
The FTC is proposing GoodRx pay a $1.5 million civil penalty and change a slew of its privacy and sharing policies.
Regulators said "to remedy the FTC’s numerous allegations, other provisions of the proposed order against GoodRx also include:
- Prohibit the sharing of health data for ads
- Require user consent for any other sharing
- Require company to seek deletion of data
- Limit retention of data
- Implement mandated privacy program
The order must be approved by the federal court to go into effect.
"In the settlement, GoodRx did not admit any wrongdoing whatsoever, but if it's agreed to by the court, they're going to significantly change their business practices," said Weisbaum.
GoodRx disagreed with the FTC's allegations and said in part,
"At GoodRx, protecting our users’ privacy is one of our most important priorities. We are thoughtful and disciplined about what information we gather and how and why we use it.
The settlement with the FTC focuses on an old issue that was proactively addressed almost three years ago, before the FTC inquiry began.
We do not agree with the FTC’s allegations and we admit no wrongdoing. Entering into the settlement allows us to avoid the time and expense of protracted litigation. We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations."
On its website, GoodRx also noted:
- We proactively addressed the issue the FTC focuses on almost three years ago, before their inquiry began
- Advertising tracking pixels remain a common technology
- We do not agree with the FTC’s allegations regarding the Health Breach Notification Rule (HBNR)
- No medical records were shared
- No material impact on our business
"We are glad to put this matter behind us so we can continue focusing on being a trusted source for Americans to find affordable and convenient healthcare," the company said.
The big takeaway for people is that unless it's given to your doctor, a medical facility, a pharmacy or health insurance company, assume your information is shared.