Accurate, Focused Research on Law, Technology and Knowledge Discovery Since 2002

First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices

FTC: “The company name may be GoodRx, but it’s unlikely that “good” is the adjective consumers would use to describe the way the company violated its privacy promises by disclosing their personal health information to companies like Facebook and Google without authorization. How did GoodRx accomplish that? By using automatic “plug and play” tracking pixels and software development kits (SDKs) from Facebook, Google, and other companies that are designed to grab a substantial amount of consumer data and turn it over for advertising purposes. In the case of GoodRx, this included consumers’ personal and health information. To settle the FTC’s first action alleging a violation of the Health Breach Notification Rule, GoodRx will pay a $1.5 million civil penalty. But there’s another first-of-its-kind provision in the proposed settlement sure to generate water cooler talk among app developers, privacy professionals, and others in the burgeoning health technology industry. Read on for details. GoodRx runs a digital health platform where consumers can compare prescription drug prices and get prescription drug coupons. It also offers a paid monthly subscription service, GoodRx Gold, which claims to offer greater discounts and virtual telehealth visits through a product called GoodRx Care. GoodRx collects a substantial amount of personal data – including highly sensitive health information – from consumers and from pharmacy benefit managers, which are companies that manage prescription drug benefits, confirming when someone uses a GoodRx coupon to get a prescription. Although the specific language has changed over the years, GoodRx has made numerous privacy promises to consumers. For example, in describing its use of third-party tracking tools, GoodRx assured people, “[W]e never provide advertisers or any other third parties any information that reveals a personal health condition or personal health information.” GoodRx also promised users that it “rarely shares” personal health information with third parties, and when it does, it “ensures that these third parties are bound to comply with federal standards as to how to treat ‘medical data’ that is linked with your name, contact information and other personal identifiers.” In addition, GoodRx stated it would share users’ personal  information only for certain limited administrative functions – for example, “to provide services directly to users,” “to comply with the law or legal process,” “to act in an emergency to protect someone’s safety,” or “to handle customer requests.” To use a phrase we’ve had to repeat with troubling frequency in recent blog posts, that’s what the company promised, but the FTC says what GoodRx was doing behind the scenes contradicted those soothing assurances. According to the complaint, beginning in at least 2017, GoodRx broke its privacy promises by sharing information about users’ prescription meds, health conditions, and personal information – like contact information and personal identifiers – with some of the biggest names in digital advertising…”

Sorry, comments are closed for this post.