FTC tracks GoodRx to sell user health data

GoodRx does not protect your privacy very well. And now the Federal Trade Commission has crafted a pricey prescription for hefty fines and agreements to implement various privacy protections.

If you’re one of the tens of millions of people who have used GoodRx to find drug bargains, drug discount and price shopping websites and apps can give you a little more than you bargained for. may have gone According to the FTC, not only data brokers, but also technology companies such as Meta and Google use it for advertising.

The FTC on Wednesday agreed to fine GoodRx $1.5 million and take various steps to stop it from sharing health data for advertising purposes and for sharing health data for other reasons. Efforts to obtain user consent and to have third parties with whom data was previously shared delete that data. The move shows how committed the FTC is to protecting people from digital privacy breaches. Even though America doesn’t have federal privacy laws that make the job easier. It also shows just how leaky some of these services we entrust our most private information to.

The FTC alleges that GoodRx shared the name of the drug users were looking for in the app, the drugs they redeemed for GoodRx coupons at pharmacies, and the conditions under which they were being treated using GoodRx’s telemedicine platform. GoodRx is also accused of sending Meta a list of users who have purchased certain medications (including identifying information) and targeting those users with advertisements related to conditions known to GoodRx.

“Digital health companies and mobile apps should not make use of consumers’ highly sensitive and personally identifiable health information,” Samuel Levine, director of the FTC’s Office of Consumer Protection, said in a statement. informs us that we will exercise all legal powers to protect sensitive data of U.S. consumers from misuse and unlawful exploitation.”

GoodRx did not immediately respond to a request for comment.

Some of GoodRx’s practices were first revealed in February 2020 by a report from Consumer Reports and Gizmodo, detailing how user data is being sent to third parties. At the time, GoodRx apologized, said the data was not used to target ads, and implemented some privacy controls. GoodRx operates in a digital privacy gray zone, so this seemed like the end. They may collect the same data as pharmacies, doctors, and health insurance companies, but most are not subject to the same health privacy laws, namely HIPAA, the Health Insurance Portability and Accountability Act. Even if HIPAA didn’t apply to his GoodRx, the FTC gave users the impression that it did by placing a small “HIPAA” icon on his website, he said. I’m here.

Even HIPAA-covered organizations seem to struggle to keep patient information out of the hands of data brokers and advertisers. But at least there are legal recourse if they violate that law. However, HIPAA violations are outside the FTC’s jurisdiction, and are the work of the Department of Health and Human Services’ Office for Civil Rights.

If a website or app collects and mismanages health data that isn’t covered by HIPAA, it could be work for the FTC’s Division of Consumer Protection. The FTC tracked down the period tracking app for deceiving users when it sent users’ fertility information to his broker, despite promises not to do so. The FTC is also in the middle of a lawsuit against her data broker, Kochava, for unfair or deceptive conduct. Kochava can do serious harm by making people’s personally identifiable and sensitive location data readily available, but those people have no way of knowing. Not to mention that their data is being collected or used in this way and how to stop it.

For GoodRx, things are a little different, as the FTC uses an unprecedented rule. The Health Breach Notification Rule requires vendors of personal health records not covered by HIPAA to notify consumers when their data is accessed by a third party without the consumer’s authorization. It has been registered since 2009, but the FTC has never enforced it. Officials have suggested such a move could take place in 2021, requiring health apps and connected devices to obtain user permission before disclosing health data to third parties. issued a warning.

This was both a clarification of the rule and a warning that the FTC was ready and willing to enforce the rule. This was the first time I successfully handled that threat. FTC chairman Lina Khan has voiced her commitment to data privacy and will not be the last given that her apps and her website are notorious for being leaky. However, some of these companies should be encouraged to make efforts to better secure their users’ health data or be more explicit about how and why they share it with anyone else.

New FTC orders must be approved by federal courts before they take effect. Assuming that’s the case, the $1.5 million fine won’t kill GoodRx, who reported $745.42 million in earnings in 2021. This is the most recent year for which that data is available. But it’s also nothing. GoodRx finished the year with a net loss of her $25.25 million, even though he made $300 million in nearly four minutes. Also, the added cost of setting up all the compliance measures required by the FTC for each order and the user’s decision to move his business elsewhere because he doesn’t trust GoodRx to keep his data. As a result, GoodRx loses any amount of revenue. private.

Consumers pay too. For some patients, GoodRx disclosed their most sensitive information when they were most vulnerable. That’s when I was looking for a way to get drugs that I couldn’t buy any other way. Now that at least he knows one of them sent that data to Facebook, chances are they won’t use the drug discount app so quickly in the future.