GoodRx fined $1.5 million for allegedly selling users’ health data

The company allegedly promised to keep users' medical info private, but instead sold it to third-party advertisers.
Close up of medicine jar tipped over with pills spread on glass table
The FTC alleges GoodRx's data misuse extended as far back as 2017. Deposit Photos

GoodRx helps  millions of consumers find discounts for medical services like prescription drug deals and affordable telehealth since its debut in 2011. For years, the company’s official privacy policy stated it would only share consumers’ limited personal data with third-parties, but would never do so with users’ health information.

According to new Federal Trade Commission allegations, however, GoodRx ostensibly lied to over 55 million users by surreptitiously selling deeply personal medical information to companies as large as Facebook and Google. The company only changed its policies following details uncovered by consumer advocacy groups in 2020.

Per its enforcement action announced on Wednesday, the FTC claims GoodRx categorically mishandled users’ personal medical information, including users’ prescriptions and health conditions, as far back as 2017. Despite explicitly vowing it “would never share personal health information with advertisers or other third parties,” says the FTC, GoodRx instead sold this data to advertising companies and platforms including Google, Facebook, Branch, and Twilio to craft personalized ads.

[Related: How data brokers threaten your privacy.]

In August 2019, for example, the FTC detailed how GoodRx assembled lists of users who purchased specific medications, then uploaded their emails, phone numbers, and mobile ad IDs to Facebook. From there, the company matched them to account profiles and categorized them by the purchased meds, which they then targeted with personalized health-related advertisements.

The concerted deception strategies also included previously displaying a seal supposedly certifying its commitment to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). GoodRx also purportedly misled the public about its adherence to the principles of the Digital Advertising Alliance, which forbids participating companies from sharing health information for advertising without explicit consumer consent. This also marks the FTC’s first enforcement action under the Health Breach Notification Rule, since GoodRx also failed to notify the public about unauthorized disclosures of individually identifiable health information to third-party advertisers.

“The fact that GoodRx has been endangering its users and abusing their trust is disgusting,” Caitlin Seeley George, Campaign Director for the digital rights advocacy group, Fight for the Future, wrote to PopSci via email. Apart from the ethical issues, George also described the situation as “terrifying, especially at a time when people are scared of how their personal health information could be used to accuse them of breaking draconian anti-abortion or anti-trans laws.”

[Related: Hive ransomeware extorted $100 million from victims. The DOJ just hit back.]

In a response released to the public, GoodRx representatives state, “We do not agree with the FTC’s allegations and we admit no wrongdoing” and claim that, “entering into the settlement allows us to avoid the time and expense of protracted litigation.” Representatives also claim, “the settlement with the FTC focuses on an old issue that was proactively addressed almost three years ago, before the FTC inquiry began.”

In a blog post published on GoodRx’s website, the company writes that it addressed the FTC’s privacy concerns in 2020, ahead of the agency’s investigation while also highlighting the ubiquity of data tracking strategies such as the controversial Facebook “pixel” tracking system.

The FTC’s proposed federal court order includes a $1.5 million civil penalty alongside a permanent ban on disclosing user health information with third parties for advertising. Other stipulations include user consent for any future information sharing, an order to direct third parties to permanently delete any data previously gathered through these methods, the institution of limited data retention policies alongside a mandated privacy program.

[Related: Chewy is doggedly trying to expand into pet telehealth.]

George contends that the comparatively meager fine for a company as large as GoodRx “will do nothing to make amends to the people whose privacy has been violated.” Instead, she reiterated her organization’s urging of lawmakers to pass comprehensive federal data privacy laws so that such violations are discouraged from happening again.

GoodRx’s official Privacy Policy was last updated in January, and currently includes disclaimers regarding its right to sell users’ information to third-party advertisers.