In a first-of-its-kind ruling, California-based online pharmacy GoodRx on Wednesday agreed to pay $1.5 million in civil penalties, following a Federal Trade Commission investigation that found the company shared users’ health data with Big Tech firms, including Facebook and Google

In a first-of-its-kind ruling, California-based online pharmacy GoodRx on Wednesday agreed to pay $1.5 million in civil penalties, following a Federal Trade Commission (FTC) investigation that found the company shared users’ health data with Big Tech firms, including Facebook and Google.

According to The New York Times, the FTC accused GoodRx’s parent company, GoodRx Holdings, of sharing information on the prescription medications and illnesses of millions of its users, for advertising and marketing purposes.

In the FTC’s complaint, filed in the U.S. District Court for the Northern District of California, the agency also claimed GoodRx did not notify consumers that their personal health data would be shared with third parties and that it misled consumers into thinking their data was protected.

The FTC found GoodRx’s practices violated the FTC’s Health Breach Notification Rule, which requires health apps and other similar tools, including fitness trackers, to notify consumers of breaches of data they have collected.

In a statement, Samuel Levine, the FTC’s director of consumer protection, said:

“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information. …

“The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”

According to TechCrunch, this is the first time the rule has been implemented despite being in place for a decade.

FTC: GoodRx shared users’ personal health data ‘for years’

The FTC found that GoodRx “deceptively promised its users that it would never share personal health information with advertisers or other third parties,” but “repeatedly violated this promise … for years,” TechCrunch reported.

There were multiple ways in which GoodRx engaged in such practices, according to TechCrunch. One was by sharing the names of medications and associated health conditions of its users with advertising platforms operated by Google, Facebook and others.

An FTC official told reporters some of this information included sensitive user health data.

GoodRx then monetized the data by serving up targeted health and medication-specific ads, said TechCrunch.

The personal data shared by GoodRx, according to the Times, “could link users to chronic physical and mental health issues including substance abuse.”

The FTC’s case focused on the use of tracking tools, including “pixels” and “software development kits,” by GoodRx, the Times reported. Facebook, Google and other tech firms provide such tools, which enable the tracking of user activities and the sharing of data with third parties for ad targeting and user-analytics purposes.

GoodRx said it stopped using Facebook’s “pixels” three years ago, according to the Times.

This data included users’ first and last names, their email addresses and mobile phone numbers, their IP addresses, location, gender and unique device ID codes.

Actions such as clicking on a link, reading information about specific medications or illnesses or opening a specific app could also be tracked, said the Times.

The FTC also said GoodRx “uploaded the contact information of users who had bought certain medications, like birth control or erectile dysfunction pills, to Facebook so that the drug discount app could identify its users’ social media profiles,” reported the Times.

TechCrunch said GoodRx’s user lists also included users who purchased blood pressure and heart disease medications, again with the purpose of targeting the users with specific health-related advertisements.

Facebook and Instagram used the information to provide targeted medication ads to users on Facebook and Instagram, the FTC said.

“GoodRx also targeted users who had looked up information on sexually transmitted diseases on HeyDoctor, the company’s telemedicine service, with ads for HeyDoctor’s S.T.D. testing services.”

The FTC also found GoodRx did not limit how third parties could use the health information they collected from the company’s users, allowing the third parties to use the data for “internal business purposes like research and product development,” reported the Times.

According to the FTC, more than 55 million people used or visited GoodRx’s digital platforms since 2017. During this period, GoodRx made public promises “to never provide any advertisers any information that reveals a personal health condition,” but in fact “revealed extremely intimate and sensitive details,” reported the Times.

GoodRx also “failed to maintain sufficient” protections for users’ personal information like adequate formal, written privacy and data-sharing policies,” the Times also reported.

TechCrunch said the FTC accused GoodRx of “falsely suggesting” to users that it was compliant with the Health Insurance Portability and Accountability Act (HIPAA) of 1996, misleading them into believing that their data was protected by law when, in fact, much of this data was not specifically covered by HIPAA or other laws.

GoodRx banned from sharing user data with third parties, pending final approval of FTC order

Under the FTC’s order, pending approval by the federal court in California, GoodRx will permanently be barred from sharing users’ health information with third parties for advertising purposes and will be required to abide by a “data retention schedule,” limiting how long it can retain users’ health and personal data, reported TechCrunch.

The company also will be required to implement a privacy program to protect user data and to disclose to users what data it collects and for which purposes.

GoodRx also will be required to ask the companies it shared data with to delete the data. However, those companies will not be bound by the order, TechCrunch said.

The requirements are in addition to the $1.5 million civil penalty levied against GoodRx for its violation of the Health Breach Notification Rule, the Times reported.

In a statement issued after the FTC’s announcement, GoodRx claimed it values user privacy:

“At GoodRx, protecting our users’ privacy is one of our most important priorities. We are thoughtful and disciplined about what information we gather and how and why we use it. The settlement with the FTC focuses on an old issue that was proactively addressed almost three years ago, before the FTC inquiry began.

“While we had used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many health, consumer and government websites, we are proud that we took action to be an industry leader on privacy practices.”

In the same statement, GoodRx claimed it did not agree with the FTC’s allegations and, in accepting the settlement, did not admit any wrongdoing:

“We do not agree with the FTC’s allegations and we admit no wrongdoing. Entering into the settlement allows us to avoid the time and expense of protracted litigation.

“We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations.”

The FTC’s Health Breach Notification Rule requires health apps and other similar tools “to notify users of breaches like cyberattacks or the unauthorized sharing of their health data,” the Times reported.

Although the FTC never enforced this rule, the agency has been reconsidering that in recent years, reported TechCrunch. For instance, the FTC clarified in 2021 and again in 2022, that the rule is also applicable to app developers and fitness device makers, warning that it would take action against alleged violations.

According to the Times, the FTC, in 2021, accused the developer of Flo, a health tracking app used by more than 100 million women, “of misleading users about its data-handling practices by sharing intimate health details about their periods and pregnancies with Google and Facebook.” The FTC and Flo settled the suit in June 2021.

According to the Times, FTC Chairperson Lina M. Khan “is angling to prohibit some longstanding tech industry data practices,” describing her as the agency’s “activist chair.”

The FTC’s order against GoodRx “could upend widespread user-profiling and ad-targeting practices” by Big Tech, the Times added.

‘Digital healthcare’ trend gives rise to privacy concerns

According to TechCrunch, “GoodRx is a prime example of how the rules might be violated, but with the proliferation of online healthcare services in recent years — which got a boost in particular with the arrival of the COVID-19 pandemic — there are signs that we may start to see more enforcements of the [FTC’s] rule.”

FTC rules could fill in some of the gaps in HIPAA and other laws. The Times reported that “unlike a person’s blood test results and other patient information collected by doctors and hospitals … personal health details that tens of millions of consumers enter into apps or search for online, like the names of drugs or diseases, are specifically covered by few legal protections.”

The FTC’s rule “is particularly important in light of the fact that there are ever more healthcare services coming online,” according to TechCrunch, which cited Amazon as a prime example.

Amazon on Jan. 24 entered the prescription drug market through Amazon Pharmacy with the launch of RxPass, an add-on to its Amazon Prime service where users will pay a monthly flat fee of $5 for unlimited refills of a slate of generic medications.

According to Forbes, more than 50 generic drugs covering 80 common ailments are part of the Amazon RxPass service’s launch. These include sertraline (the generic version of the antidepressant Zoloft) and losartan (the generic version of the hypertension drug Cozaar).

The drugs are delivered for free, with a valid prescription.

Amazon’s RxPass is not available in all states (California, Louisiana, Maryland, Minnesota, New Hampshire, Pennsylvania, Texas and Washington are excluded), according to Forbes.

People on government-funded insurance programs such as Medicare and Medicaid are also ineligible for the RxPass program.

However, a separate healthcare-related transaction by Amazon, currently pending approval by regulators, would allow the Big Tech firm to fill in this gap.

The initial 80 conditions covered by the RxPass generic drug offerings were chosen intentionally “to make it an offer attractive to a wide base of potential customers,” according to TechCrunch, which noted more than 150 million Americans already take one or more of the medications offered by the program.

In July 2022, Amazon purchased One Medical, a private health services provider operating 188 primary care practices and a subscription-based telehealth service, in a $3.9 billion all-cash deal.

According to Forbes, “The One Medical acquisition gives Amazon an entry into providing health care for Medicare patients.”

Fierce Healthcare reported Jan. 3 that the Oregon Health Authority’s Health Care Market Oversight program approved the deal, moving it one step closer to full regulatory approval. The FTC is investigating the acquisition.

At the time the deal was announced, some political figures and consumer advocates characterized it as “dangerous,” raising potential privacy and antitrust concerns.

Amazon, despite the failure of its Amazon Care initiative, continues to make forays into the healthcare market, with a particular focus on “purpose-built health AI [artificial intelligence] services.”

Some analysts claim the use of AI in healthcare “could revolutionize diagnoses and treatment administration,” while others argue that, with the rising cost of healthcare, AI and other digital options can potentially “make healthcare more accessible [and] affordable.”

Source – https://childrenshealthdefense.org/defender/goodrx-personal-health-data-breach-ftc/