GoodRx shared consumer health data with Facebook and Google, FTC says
Digital health service GoodRx repeatedly shared sensitive customer information with Facebook, Google and other advertising platforms without its users' knowledge or consent, the Federal Trade Commission alleged on Wednesday. In doing so, GoodRx allowed those services to tap into sensitive health details about those consumers, according to the complaint.
In one case, GoodRx allegedly designed campaigns based on its users' health information to run targeted ads on Facebook, relying on the social media network's ad-targeting platform and making the information visible to Facebook, the complaint alleges. In that case, the campaigns featured ads focused on specific medications such as Viagra or conditions like erectile dysfunction that then ran on Facebook, the complaint claims.
GoodRx shared sensitive user information such as personal health conditions and prescription medications with third-party advertisers without notifying its users or seeking their consent, the FTC said. The medication service also exploited its information to provide Facebook with its customers' personal and health data over a four-year period, the agency claims.
Such information could be used to infer or link people to "chronic physical or mental health conditions, medical treatments and treatment choices, life expectancy, disability status, information relating to parental status, substance addiction, sexual and reproductive health, sexual orientation, and other highly sensitive and personal information," the FTC said in the complaint.
Move to protect user privacy
The Department of Justice, on behalf of the FTC, issued an order that prohibits GoodRx from sharing user health data for advertising purposes, although the order must be approved by the federal court to become effective. GoodRx will also pay a $1.5 million civic penalty, the FTC said in a statement.
GoodRx said it doesn't agree with the allegations.
"[W]e admit no wrongdoing," it said in a statement. It added that the settlement "focuses on an old issue that was proactively addressed almost three years ago, before the FTC inquiry began."
GoodRx said it resolved the issue three years ago, when it made updates to its service to protect users' privacy.
In a statement emailed to CBS MoneyWatch, Google said it prohibits personalized advertising based on "sensitive data like health conditions or prescription medications."
Meta, Facebook's parent company, didn't immediately respond to a request for comment.
GoodRx, which offers a digital service for prescription drug discounts and telehealth appointments, collects personal and health information from consumers and from pharmacy benefit managers when a consumer purchases a prescription through GoodRx.
The FTC said the enforcement action represents the first time it has taken such a step under its Health Breach Notification Rule, which requires vendors of personal health records to alert consumers after their data has been breached. The agency claims that GoodRx failed to notify its customers about the unauthorized disclosure of their data to Facebook, Google and others.
"Digital health companies and mobile apps should not cash in on consumer's extremely sensitive and personally identifiable health information," said Samuel Levine, Director of the FTC's Bureau of Consumer Protection, in the statement.