The FTC fines GoodRx for unauthorized disclosure of health data

0
47

In a unique enforcement, the Federal Trade Commission has fined GoodRx Holdings Inc., a telemedicine and prescription drug provider, $1.5 million for sharing users’ personal health information without their consent with Facebook, passed on to Google and other third parties.

As part of a settlement, California-based GoodRx also accepted that going forward it would be prohibited from sharing user health data with third parties for advertising purposes, the FTC said. GoodRx admitted no wrongdoing and said in a blog post that it was settled “to avoid the time and expense of lengthy litigation.” The approval of the federal court is still pending.

Consumer advocates hailed Wednesday’s announcement as a potential game changer that could seriously curb a little-known phenomenon: the trading of sensitive healthcare data by companies that aren’t strictly classified as healthcare providers.

“Digital health companies and mobile apps should not monetize consumers’ highly sensitive and personally identifiable health information,” said Samuel Levine, director of the FTC’s Consumer Protection Bureau. said in a statement. “The FTC announces that it will use all of its legal authority to protect American consumers’ sensitive information from misuse and illegal exploitation.”

The enforcement is the first under a 2009 law, the Health Breach Notification Rule, which applies to personal health record providers and related providers who are not covered by HIPAA, the federal privacy regulations that govern the healthcare industry.

It comes three years after Consumer Reports discovered that GoodRx shared people’s personal health information with more than 20 companies. “People told us they never expected their sensitive information to be shared with companies like Google and Facebook,” said Marta Tellado, President and CEO of Consumer Reports, in a statement Wednesday. “This is a win for consumers and could have a profound impact on how our health information is kept private in the future.”

GoodRx said the FTC’s complaint focus was “proactively addressed” nearly three years ago, before the FTC investigation began.

Justin Brookman, director of technology policy at Consumer Reports, said he believes the FTC investigation began after his organization’s February 2020 report. Previously, the FTC said, “GoodRx did not have an adequate formal, written or standard privacy or data sharing policy or compliance program.”

Company spokeswoman Lauren Casparis said via email that GoodRx “has used vendor technologies to advertise in a way that we believe is compliant with all applicable regulations and that many websites still use.” before is usual”.

In the industry, these technologies commonly include embedded tracking pixels provided by platforms such as Google and Facebook.

“They put pixels on their website,” Consumer Reports’ Brookman said over the phone. “They don’t have to.”

In a statement, Brookman said, “Healthcare apps and websites have been sharing our personal information for years without consequences. This case should be a game changer – companies must now understand that sharing customer data without clear permission will result in investigations and fines.”

On its website, GoodRx says it has helped consumers save more than $45 billion since 2011.

According to the FTC, more than 55 million consumers have visited the GoodRx website or mobile apps since January 2017. The Company collects personal and health information from its users and from pharmacies that certify when one of its coupons has been used in a purchase.

The FTC said in a press release that GoodRx “deceptively promised its users that it would never share personal health information with advertisers or other third parties,” while sharing information about their prescriptions and health conditions with third-party advertising firms and platforms such as Facebook and Google. This process helped GoodRx to target personalized ads on Facebook and Instagram and other platforms, the FTC said.

Other provisions of the proposed federal court order require GoodRx to direct third parties with whom it has shared consumer health information to delete it and notify consumers.

GoodRX spokeswoman Casparis said the company believes that “the requirements set out in the settlement will not have a material impact on our business or on our current or future activities.”

Copyright 2023 The Associated Press. All rights reserved. This material may not be published, broadcast, transcribed or redistributed without permission.

LEAVE A REPLY

Please enter your comment!
Please enter your name here