Telehealth firm GoodRx fined $1.5m over privacy breach
Telehealth and discount medicines provider GoodRx has been ordered to pay a $1.5 million fine by the US authorities for sharing its customers' sensitive health information with other companies, including Facebook and Google.
The Federal Trade Commission (FTC) said this was the first time that it had brought an action under its Health Breach Notification Rule, in a clear sign that the regulator is ramping up its enforcement activities against companies that fail to secure the data privacy of individuals' health records.
A key requirement of the rule is that companies have to inform the FTC, consumers and sometimes even the media when they discover a breach involving identifiable health information.
The FTC said GoodRx had failed to notify its users about unauthorised sharing of sensitive health data with third-party companies for advertising purposes over several years, putting it in line for the civil penalty.
"Since at least 2017, GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third parties," said the FTC in its complaint.
It added that GoodRx "repeatedly" violated this promise by sharing information, including prescription medication use and health conditions, with third-party advertising companies and advertising platforms like "Facebook, Google, and Criteo, and other third parties like Branch and Twilio."
The California-based digital health company, which offers prescription drug discounts, telehealth visits, and other health services, effectively monetised the data it was holding on its customers and caused them to be exposed to health- and medication-specific advertising.
It also allowed the other companies to use the information for their own internal purposes, including for R&D or to improve advertising, while falsely claiming it was in compliance with rules which require prior consent for this type of activity.
"Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information," commented Samuel Levine, director of the FTC's Bureau of Consumer Protection.
"The FTC is serving notice that it will use all of its legal authority to protect American consumers' sensitive data from misuse and illegal exploitation," he added.
Industry wide implications?
The complaint against GoodRx was prompted by an investigation in 2020 by non-profit consumer rights organisation Consumer Reports, which said that if the FTC applies the legal reasoning it used in this case more broadly - and the courts go along - Americans could gain more privacy over the data collected by health-related apps and websites than they've ever had before.
"For years, we've seen stories about health apps sharing our data with ad-tech companies and data brokers. With this case, the FTC is saying that's simply not allowed," said Justin Brookman, director of technology policy for Consumer Reports. "This hopefully will lead to industry wide changes over how health data is treated."
GoodRx reponded to the news with the following statement:
"We do not agree with the FTC’s allegations and we admit no wrongdoing. Entering into the settlement allows us to avoid the time and expense of protracted litigation. We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations.
"In fact, almost three years ago, before the FTC reached out to us, we proactively made updates consistent with our commitment to being at the forefront of safeguarding users’ privacy. While we had used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many health, consumer and government websites, we are proud that we took action to be an industry leader on privacy practices. We are glad to put this matter behind us so we can continue focusing on being a trusted source for Americans to find affordable and convenient healthcare."