The Federal Trade Commission is alleging GoodRx shared consumers’ personal health information to Facebook, Google and other third parties.
The Department of Justice, on behalf of the FTC, filed a complaint and proposed order for permanent injunction against the company Wednesday. Under the order, GoodRx would be prohibited from sharing health information with third parties and be fined $1.5 million. The order, which the consumer drug price comparison and digital health company agreed to, requires approval by the U.S. District Court for the Northern District of California.
It is the first time the FTC has enforced its 2009 Health Breach Notification Rule, which requires companies that collect and share consumers’ health information to notify those consumers. The move will likely serve as a warning shot to other digital health companies that share personal health data with third parties.
In a statement, GoodRx said the company does not agree with the FTC’s allegations and it admits no wrongdoing. The company said entering into the settlement will help it avoid the time and expense of protracted litigation.
According to the FTC, GoodRx allegedly compiled lists of users purchasing medication and uploaded their email addresses, phone numbers and mobile advertising IDs to Facebook in August 2019 so it could identify their profiles. GoodRx then allegedly used that information to target these users with health-related advertisements on Facebook and Instagram.
“Digital health companies and mobile apps should not cash in on consumer’s extremely sensitive and personally identifiable health information,” said Samuel Levine, director of the FTC’s bureau of consumer protection, in a news release. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
FTC also alleged that GoodRx shared data with Google, Criteo, Twilio and Branch. An FTC spokesperson said the proposed order requires third parties that received GoodRx’s data to delete it. The spokesperson did not provide details on how the agency might enforce such directives.
The FTC also alleged GoodRx misrepresented its compliance with the Health Insurance Portability and Accountability Act of 1996 to consumers using its telehealth platform. The company sold its backend virtual technology to Wheel Health, a virtual health platform and provider network, for $19.5 million in cash in November 2022.
In May 2022, GoodRx disclosed that it had been under investigation since March 2020 by the FTC for its data-sharing tactics with third-party services providers. In its earnings statement from May, GoodRx said FTC staffers notified the company in October 2021 that it intended to recommend that the agency pursue an enforcement action. At the time, GoodRx said it was sent a draft complaint in January and planned to defend itself.
An FTC spokesperson declined to comment on whether other digital health companies were under investigation.
The actions follow a policy statement issued by the FTC in September 2021 warning health apps they must comply with the rule.
GoodRx has had a challenging year financially. The company said in its third quarter earnings report in November that its total revenue decreased 4% to $187.3 million from $195.1 million in the corresponding period last year. Its prescriptions transactions business, which is GoodRx’s largest source of revenue, fell 16% from $155.7 million to $131.2 million.
Over the last year, the FTC has become more involved in its scrutiny of digital health companies. Last August, it filed a lawsuit alleging data broker, Kochava was selling geolocation data from hundreds of millions of mobile phones that could be tracked to abortion clinics and possibly identify medical professionals who performed the procedures. Kochava’s general manager Brian Cox said in a statement the FTC desired a settlement and characterized its process as “flamboyant” and “frivolous.” .
In June 2021 the FTC settled with Flo Health, a period and ovulation tracking company, after it failed to obtain users’ consent before sharing their personal health information with Facebook, Google and other companies.
This story first appeared in Digital Health Business & Technology.