GoodRx Leaked User Health Data to Facebook and Google, F.T.C. Says

Millions of Americans have used GoodRx, a drug discount app, to search for lower prices on prescriptions like antidepressants, H.I.V. medications and treatments for sexually transmitted diseases at their local drugstores. But U.S. regulators say the app’s coupons and convenience came at a high cost for users: wrongful disclosure of their intimate health information.

On Wednesday, the Federal Trade Commission accused the app’s developer, GoodRx Holdings, of sharing sensitive personal data about users’ prescription medications and illnesses with companies like Facebook and Google without authorization.

The company’s information-sharing practices, the agency said, violated a federal rule requiring health apps and fitness trackers that collect personal health details to notify consumers of data breaches.

While GoodRx agreed to settle the case, it said it disagreed with the agency’s allegations and admitted no wrongdoing.

The crackdown on GoodRx comes at a moment of heightened concern over the leaking of sensitive health information, particularly in states that have banned or severely limited abortions. And it underscores the F.T.C.’s intensifying efforts to push digital health services to beef up their user privacy and security protections.

The F.T.C.’s case against GoodRx could upend widespread user-profiling and ad-targeting practices in the multibillion dollar digital health industry, and it puts companies on notice that regulators intend to curb the nearly unfettered trade in consumers’ health details.

Over the last two decades, start-ups and giant tech companies have introduced a range of fitness devices, smartwatches and fertility apps. But unlike a person’s blood test results and other patient information collected by doctors and hospitals — which is protected by a federal law, the Health Insurance Portability and Accountability Act, known as HIPAA — there are few legal protections that specifically cover personal health details, like the names of drugs or diseases, that tens of millions of consumers enter into apps or search for online.

In 2019, GoodRx uploaded the contact information of users who had bought certain medications, like blood pressure pills, to Facebook so that the drug discount app could identify its users’ social media profiles, the F.T.C. said in a legal complaint. GoodRx then employed the personal information to target users with ads for medications on Facebook and Instagram, the agency said.

Those data disclosures, the agency said, flouted public promises the company had made to “never provide advertisers any information that reveals a personal health condition.”

If a judge approves the proposed federal settlement order, GoodRx would be permanently barred from sharing users’ health information for advertising purposes. To settle the case, the company also agreed to pay a $1.5 million civil penalty for violating the health breach notification rule.

The F.T.C. is employing new legal approaches and remedies in the GoodRx case as part of its effort to bolster safeguards for the personal information collected by health apps, trackers and sites.

This is the first time that agency has brought an enforcement action using its Health Breach Notification Rule. That rule requires health apps and connected devices that collect or use personal health information, like an individual’s heart rate or menstruation history, to notify users of breaches like cyberattacks or the unauthorized sharing of their health data. This is also the first time that a proposed F.T.C. consent order is seeking to prohibit a company from sharing users’ health data for advertising purposes.

“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” Samuel Levine, director of the F.T.C.’s bureau of consumer protection, said in a statement. “The F.T.C. is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”

GoodRx, based in Santa Monica, Calif., said in a statement that user privacy was one of its most important priorities. The company added that the settlement with the agency focused on issues that GoodRx resolved three years ago, before the F.T.C. inquiry began.

“While we had used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many health, consumer and government websites, we are proud that we took action to be an industry leader on privacy practices,” the GoodRx statement said.

This is a developing story. Check back for updates.

source: nytimes.com