FTC fines drug discount app for sharing user information to Facebook and Google

The Federal Trade Commission has slapped prescription drug discount app GoodRx with a $1.5 million fine for the unauthorized disclosure of customers’ identifiable health information with third parties, such as Facebook and Google. This is the first time the agency has taken enforcement action under its Health Breach Notification Rule, which requires vendors of personal health records to notify customers if their data has been breached. While the rule has applied to companies handling health records since 2009, FTC commissioners voted in favor of expanding it to cover health apps in 2021. 

According to the FTC, the California-based telehealth service repeatedly violated the rule by sharing customers’ personal health information, including their health conditions and the medicine they’re taking. Further, it shared their information with companies that have third-party advertising platforms like Facebook, Google and Criteo despite making a promise to customers that it will never do so. The FTC says GoodRx also monetized its customers’ information. In 2019, for instance, it uploaded the email addresses, phone numbers and mobile advertising IDs of users who purchased certain medications to Facebook, so it can target them with health-related ads. 

In addition to imposing a $1.5 million fine on GoodRx, the FTC is also seeking to change how the company handles user information. In its proposed court order (PDF) against the company, it listed several provisions, including banning the service from disclosing user data for advertising purposes. For other purposes, it wants to require GoodRx to secure customers’ consent first before sharing their health information to third parties. The FTC also wants GoodRx to get the third parties it shared data with to delete its customers’ information, and it wants the company to establish a comprehensive privacy program that will protect user data. 

Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in statement:

“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information. The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”