GoodRx, an online pharmacy, is facing a $1.5 million civil penalty from the Federal Trade Commission (FTC) to settle violations of a rule regarding unauthorized disclosures of consumers’ personal health information.
According to the FTC, GoodRx failed to notify consumers that it disclosed personal health information to Facebook, Google and other companies. The company’s digital platform offers prescription drug discounts, telehealth visits and other health services.
[Discount drug app shared patient info with Google, Facebook]
The penalty is the first of its kind under the Health Breach Notification Rule, which requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information, according to the Department of Health and Human Services (HHS). The FTC’s civil penalty is a proposed order that must be approved by a federal court for it to go into effect. In addition, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes under the proposed order.
“Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
The FTC stated that GoodRx collects personal and health information from its users, including when users and when pharmacy benefit managers (PBMs) confirm when a consumer purchases a prescription medication using a GoodRx coupon. More than 55 million consumers have visited or used GoodRx since January 2017. The FTC’s complaints states that GoodRx shared sensitive personal health information with advertising companies and platforms for years and failed to report these disclosures.
Namely, the FTC said GoodRx shared sensitive consumer information with Facebook, Google, Criteo and other parties. Plus, GoodRx used consumers’ information to target its own users with personalized health- and medication-specific advertisements on Facebook and Instagram. The digital health company further allowed third parties to use the personal health information for its own purposes, including research and development or to improve advertising.
Finally, the FTC’s complaint stated GoodRx misrepresented its HIPAA compliance by displaying a seal that falsely suggested to consumers it compiled with HIPAA requirements. The company also did not maintain sufficient policies or procedures to protect its users’ personal health information.
According to a statement from GoodRx, the settlement is focused on “an old issue that was proactively addressed almost three years ago, before the FTC inquiry began.”
The company also said it already took proactive steps to safeguard users’ privacy almost three years ago before the FTC reached out. Despite agreeing to the $1.5 million penalty, GoodRx disputed it had violated privacy compliance.
“We do not agree with the FTC’s allegations and we admit no wrongdoing,” GoodRx said. “Entering into the settlement allows us to avoid the time and expense of protracted litigation. We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations.”