The FTC fines GoodRx for sharing users’ health data with third parties

Article by Lisa Phillips | Feb 2, 2023

The news: The Federal Trade Commission (FTC) fined GoodRx $1.5 million in civil penalties for sharing its customers’ health information with third parties such as Facebook, Google, and Criteo for advertising purposes.

GoodRx will pay the fine but denied wrongdoing, saying the charges stemmed from a previous acquisition and had already been addressed.

Digging into the violation: The FTC claims GoodRx repeatedly violated its promise that it wouldn’t share personal health information with advertisers or other third parties.

However, it shared information such as prescription medications, personal health conditions, personal contact information, and unique advertising and personal identifiers.
FTC commissioner Christine Wilson issued a statement on the decision stating, in part, that the $1.5 million fine was insufficient to cause GoodRx (current market cap of $2.3 billion) to change its business model.

First, but not last: This is the first time the FTC has charged any company with violating the Health Breach Notification Rule (HBNR), which has been on the books since it took effect in September 2009. But this is only the beginning.

In September 2021, the FTC issued a warning to health apps and connected device companies to comply with the HBNR.

Our take: Government oversight on digital health company practices is here to stay. The FTC took years to act, but several states have enacted strict laws around the privacy of personal health information.

Independent sources like STAT and Markup are investigating healthcare organizations’ data sharing with third parties. The fallout only begins with lost consumer trust.
Cyber criminals are zeroing in on healthcare data. Health systems and other major repositories of personal health information are being inundated with cyberattacks. It won’t be long before digital health companies are faced with ransomware demands.