The Federal Trade Commission took historic action against the medication discount service GoodRx Wednesday, issuing a $1.5 million fine against the company for sharing data about users’ prescriptions with Facebook, Google, and others. It’s a move that could usher in a new era of health privacy in the United States.
“Digital health companies and mobile apps should not cash in on consumer’s extremely sensitive and personally identifiable health information,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
In addition to a fine, GoodRx has agreed to a first-of-its-kind provision banning the company from sharing health data with third parties for advertising purposes. That may sound unsurprising, but many consumers don’t realize that health privacy laws generally don’t apply to companies that aren’t affiliated with doctors or insurance companies. The FTC’s proposed court order still has to be approved by a federal judge, but if it is, experts say it could ameliorate the internet’s rampant medical privacy issues.
GoodRx is a health technology company that gives out free coupons for discounts on common medications. The company also connects users with healthcare providers for telehealth visits. GoodRx also shared data about the prescriptions you’re buying and looking up with third-party advertising companies, which incurred the ire of the FTC.
GoodRx’s privacy problems were first uncovered by this reporter in an investigation with Consumer Reports, followed by a similar report in Gizmodo. At the time, if you looked up Viagra, Prozac, PrEP, or any other medication, GoodRx would tell Facebook, Google, and a variety of companies in the ad business, such as Criteo, Branch, and Twilio. GoodRx wasn’t selling the data. Instead, it shared the information so those companies could help GoodRx target its own customers with ads for more drugs. According to the FTC, that’s illegal.
The FTC says GoodRx violated a prohibition on unfair and deceptive practices because it failed to mention that it might share details about the most sensitive parts of your life with companies known for privacy violations. In fact, the FTC says GoodRx actually lied to its customers by claiming that it was HIPAA compliant. The complaint also says the GoodRx falsely claimed that it abided with principles set out by the Digital Advertising Alliance—an industry trade group—which asks only that companies get consent before using health data for ads.
GoodRx said that while privacy is a top priority for the company, sharing data in this matter is a standard practice and it disagrees with the FTC.
“We do not agree with the FTC’s allegations and we admit no wrongdoing. Entering into the settlement allows us to avoid the time and expense of protracted litigation,” said a GoodRx spokesperson. “While we had used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many health, consumer and government websites, we are proud that we took action to be an industry leader on privacy practices.”
The GoodRx spokesperson said the FTC settlement is focused “an old issue that was proactively addressed almost three years ago.” However, a quick check shows that GoodRx.com continues to share information with Google and other advertising companies, according to the the Markup’s Backlight tool, which gives you a preview of some of see the hidden tracking on websites. In fact, Backlight shows the company has added new advertising partners since the original investigation in 2020.
GoodRx said its site’s technology was in line with its “compliance obligations.”
The FTC doesn’t regulate HIPAA. That’s the purview of the US Department of Health and Human Services. Instead, the commission says GoodRx violated the Federal Trade Commission Act (which created the FTC in the first place). That legislation prohibits unfair or deceptive business practices. According to the complaint against GoodRx, sharing health information without telling your customers and lying about whether you comply with HIPAA is deceptive, and therefore against the law.
This foray into health care privacy is unprecedented for a number of reasons. The most significant part of the order is the simple fact that it says GoodRx’s practice of sharing health data for advertising is illegal. That might seem obvious, but it’s a stunning move.
Do you have a story to share about health privacy, the data economy, or tech in general? Contact Thomas Germain at email@example.com.
“This could set a new paradigm for how that information is handled,” said James Koons, founding partner of the consulting firm Data Privacy & Security Advisors. “There’s almost no protection for your health care data if it isn’t being handled by a HIPAA-covered entity. GoodRx sits very close to the health care industry, but it seems they’ve been skating around the outside of the pond and getting away with it. The FTC is putting a stop to that.”
A lot of people share a common misconception that HIPAA protects their health information. Unfortunately for privacy fans, it does not. Basically, HIPAA’s health privacy rules only apply to healthcare providers, insurance companies, and anyone who is working directly on their behalf. A company like GoodRx is not a covered entity under HIPAA in most cases (the only exception is the company’s telehealth platform).
That can be confusing, because the kind of prescription data GoodRx handles would be protected if it was handled by your doctor or your pharmacist. And according to the FTC, GoodRx played into that confusion with a number of misleading statements.
GoodRx’s practices are commonplace on the web. Investigations have shown that just about every health website you can think of— from WebMD, BetterHelp, even hospital websites—often use ad tracking technology that leaks your health information to the tech industry.
The proposed order sends a clear signal that the medical advertising status quo may be illegal.
“Because GoodRx is so close to health care, it’s not going to be abundantly clear to everyone that they’re not a HIPAA covered entity. It’s a shot across the bow to businesses that handle health information which aren’t covered by HIPAA,” said Clinton Mikel, a partner at the law firm Health Law Partners and former chairman of an American Bar Association group on e-health and privacy. “The FTC is trying to remind everyone that they’re out there, and they’re watching.”
For that matter, the way the FTC is defining health information could be a game changer in itself. If you go to five different websites trying to get a deal on insulin, it’s probably a safe bet that you have diabetes. Until now, the law treated your web searches, app usage, and other detritus of your daily internet usage information the same way it would treat a record of the recipes you looked up for dinner last night. The FTC is trying to change that, which would be a massive disruption to the health business if it works.
This is also the first time the commission has taken enforcement action under its Health Breach Notification Rule, which requires companies to tell consumers about unauthorized access to their personal health records.
Update, Feb. 1, 1:10 p.m. EST: This story has been updated with a comment from GoodRx, and details about the tracking that still happens on the company’s website, according to an advertising tracker.