GoodRx facing $1.5 million fine for sharing customers’ sensitive health info

The Federal Trade Commission (FTC) has proposed fining GoodRx $1.5 million for sharing customers’ sensitive health info and using that information to target them for services related to their medical conditions.

In addition, the FTC has proposed that GoodRx be prohibited from sharing user health data with applicable third parties for advertising purposes. Though the order has not been approved, GoodRx has agreed to pay a $1.5 million penalty.

The allegations against GoodRx (also doing business as HeyDoctor) are detailed in a 27-page complaint filed by the Department of Justice on behalf of the Federal Trade Commissions. Below are some of the highlights of the Federal Trade Commissions investigation into GoodRx’s marketing practices.

“Founded in 2011, GoodRx Holdings, Inc. (“GoodRx” or the “Company”) is a “consumer-focused digital healthcare platform” based in Santa Monica, California. GoodRx advertises, distributes, and sells health-related products and services directly to consumers,
including purported prescription medication discount products branded as “GoodRx” and “GoodRx Gold.” GoodRx also advertises, distributes, and sells telehealth services, branded as “GoodRx Care,” and previously as “HeyDoctor by GoodRx,” and “HeyDoctor,” through its subsidiary HeyDoctor, LLC (“HeyDoctor”).

 

Since at least 2017, GoodRx has promised its users that it would share their personal information, including their personal health information, with limited third parties and only for limited purposes; that it would restrict third parties’ use of such information; and that it would never share personal health information with advertisers or other third parties.

 

GoodRx repeatedly violated these promises, however, by sharing sensitive user information with third-party advertising companies and platforms (“Advertising Platforms”) like Facebook, Google, and Criteo, and other third parties like Branch and Twilio. The information GoodRx shared included its users’ prescription medications and personal health conditions, personal contact information, and unique advertising and persistent identifiers. GoodRx shared this information without providing notice to its users or seeking their consent. Moreover, GoodRx permitted third parties that received users’ personal health information to use and profit
from the information for their own business purposes.

 

And, in the case of Facebook, GoodRx did more than just share its users’ sensitive information. GoodRx exploited the information shared with Facebook to target GoodRx users with advertisements on Facebook and Instagram. Using Facebook’s ad targeting platform, GoodRx matched specific users to their personal health information and designed campaigns that targeted users with advertisements based on their health information—all of which was visible to Facebook. These campaigns featured advertisements relating to specific medications (e.g., Viagra), or specific health conditions (e.g., erectile dysfunction) that GoodRx believed would be
of interest to them, such as the one in Exhibit A below:

 

In one campaign, which GoodRx ran in August 2019, GoodRx compiled lists of its users who had purchased particular medications, uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook to identify their profiles, and labeled them by the medication they had purchased. GoodRx then targeted these users with health-related advertisements.

 

GoodRx also violated its promises to users by failing to implement sufficient policies or procedures to prevent the improper disclosure of sensitive health information or to notify users of breaches of that information. Until a consumer watchdog publicly revealed GoodRx’s actions in February 2020, GoodRx had no sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place. And, even after GoodRx’s practices came to light, it failed to notify users that their health information had been disclosed without their authorization.

 

GoodRx’s repeated, unauthorized disclosures of users’ personal and health information over the course of a four-year period have revealed extremely intimate and sensitive details about GoodRx users that could be linked to (or used to infer information about) chronic physical or mental health conditions, medical treatments and treatment choices, life expectancy, disability status, information relating to parental status, substance addiction, sexual and reproductive health, sexual orientation, and other highly sensitive and personal information.

 

These actions are deceptive or unfair acts, in violation of Section 5 of the FTC
Act, 15 U.S.C. § 45(a), and violate the Health Breach Notification Rule, 16 C.F.R. § 318.”