Not-So-GoodRx Reprimanded $1.5 million for Sharing Consumers’ Information

The article GoodRx Shares Consumer Data appeared in the April 2020 Newsline, which pertained to GoodRx sharing their consumers’ data with various platforms, including Facebook and Google. Key information from the article include:

  • Both Facebook and Google denied utilizing information, specifically personal health information, obtained from GoodRx to target ads to mutual consumers.
  • Despite Facebook and Google’s claims, GoodRx did issue an apology for their role they played in sharing consumer information to the platforms and vowed to “do better”
  • Since GoodRx is “a private company with no doctors or hospitals involved, it does not have to protect the health data a consumer gives it”

One could speculate that GoodRx was hoping this would be the end of the ordeal. However, it was not.

For the first time, the Federal Trade Commission (FTC) has enforced the Health Breach Notification Rule, due to “GoodRx Holdings Inc…failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.” Pending federal court approval, the Proposed Order will include numerous provisions that GoodRx will need to follow, including:

  • Prohibited from sharing user health data with applicable third parties for advertising purposes
  • Require user consent for sharing health information outside of advertising purposes
  • Implement a privacy program which includes safeguards from unauthorized access to user data
  • Mandatory outreach to third parties requesting consumer health data be deleted and disclose information about the breach of their health information and FTC’s legal action to consumers
  • Limit the amount of time consumers’ health information will be retained
  • Make available to the public how long their information will be retained, what information is collected, and why the information collected is necessary
  • Pay a civil penalty of $1.5 million due to “sharing sensitive personal health information for years with advertising companies and platforms -contrary to its privacy promises…”.

As alluded to above, GoodRx is not a HIPAA covered entity and therefore not legally bound to the same notification rules as covered entities. As such, patients should be made aware of this if they choose to upload information into GoodRx’s app or website or request that a pharmacy submit claims information to GoodRx. Patients can refer to  GoodRx’s updated “Privacy Policy” for more information.

Meredith Thiede, PharmD
Latest posts by Meredith Thiede, PharmD (see all)