FTC fines GoodRx for unauthorized sharing of health data

In a first-of-its-kind enforcement, the Federal Trade Commission has imposed a $1.5 million penalty on telehealth and prescription drug discount provider GoodRx Holdings Inc. for sharing users’ personal health data with Facebook, Google and other third parties without their consent. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.” The enforcement is the first under a 2009 law, the Health Breach Notification Rule, which applies to personal health record vendors and related providers not covered by HIPAA, the federal privacy rules that govern the health care industry, It comes three years after Consumer Reports discovered that GoodRx was sharing people’s personal health information with more than 20 companies. “This is a win for consumers, and it could have a profound effect on how our health information is kept private moving forward.” In a legal complaint filed on the FTC’s behalf, Justice Department lawyers said GoodRx’s actions had “unjustly enriched” the company at the expense of users — many sufferers of chronic health conditions — who could face “stigma, embarrassment or emotional distress” as well as discrimination if facts it shared were disclosed. And, even after GoodRx’s practices came to light, it failed to notify users that their health information had been disclosed without their authorization.” Company spokeswoman Lauren Casparis said via email that GoodRx “used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many websites.” Those technologies included embedded web beacons known as “pixels” and other tracking and data-collection tools from companies including Google and Facebook, the government said. The FTC said in a news release that GoodRx “deceptively promised its users that it would never share personal health information with advertisers or other third parties” while sharing information on their prescriptions and health conditions with third-party advertising companies and platforms including Facebook, Google and Criteo.