Take care when collecting health data. A recent case suggests the US Federal Trade Commission (FTC) is getting serious about privacy among healthcare and pharmaceutical companies.
The FTC sanctioned the prescription drug discount app GoodRx on Feb 1 for allegedly sharing the data of its users without notice or consent.
The company has agreed to pay a $1.5 million civil penalty and will never again be allowed to share health data for advertising purposes. GoodRx also faces a class action lawsuit that could further harm the company’s finances and reputation.
Here’s what happened and why it matters to all companies dealing with health data.
‘False and Deceptive Statements’
GoodRx provides discounts on drugs via its app. This means the company processes some very sensitive data about its users’ health.
In its complaint against GoodRx, the FTC describes the promises and statements GoodRx made to its users.
Up until March 2019, GoodRx’s website promised its users it would “never provide advertisers or any other third parties any information that reveals a personal health condition or personal health information”.
The company also reassured users that it complied with the Digital Advertising Alliance’s Self-Regulatory Program for Online Behavioral Advertising, which prohibits participants from sharing prescription or medical data without consent.
GoodRx also falsely stated that it was compliant with the Health Insurance Portability and Accountability Act (HIPAA). The company is not even subject to that law.
Sharing Sensitive Information
Contrary to the company’s promises, the FTC states that GoodRx “shared sensitive information about millions of people” with Facebook, Google, and Criteo.
GoodRx shared this data for advertising purposes “without notice to users, and without obtaining consent.”
The company’s methods were relatively commonplace. The GoodRx app contained third-party pixels and software development kids (SDKs) to collect users’ data and send it to advertisers.
This company shared data including information about users’ prescriptions, their location, and directly identifying information such as their first and last names. GoodRx then targeted users on Facebook and Instagram based on their prescriptions and health conditions.
The company also failed to put proper contracts in place to ensure advertisers and other companies would not further share this data with others.