Health Data, transparency, and consent: GoodRx fined $1.5 Million
Posted: February 14, 2023
Take care when collecting health data. A recent case suggests the US Federal Trade Commission (FTC) is getting serious about privacy among healthcare and pharmaceutical companies.
The FTC sanctioned the prescription drug discount app GoodRx on Feb 1 for allegedly sharing the data of its users without notice or consent.
The company has agreed to pay a $1.5 million civil penalty and will never again be allowed to share health data for advertising purposes. GoodRx also faces a class action lawsuit that could further harm the company’s finances and reputation.
Here’s what happened and why it matters to all companies dealing with health data.
‘False and Deceptive Statements’
GoodRx provides discounts on drugs via its app. This means the company processes some very sensitive data about its users’ health.
In its complaint against GoodRx, the FTC describes the promises and statements GoodRx made to its users.
Up until March 2019, GoodRx’s website promised its users it would “never provide advertisers or any other third parties any information that reveals a personal health condition or personal health information”.
GoodRx’s privacy policy claimed that the company “rarely shares” personal health information with third parties and that it always ensured third parties were “bound to comply with federal standards as to how to treat ‘medical data’”.
The company also reassured users that it complied with the Digital Advertising Alliance’s Self-Regulatory Program for Online Behavioral Advertising, which prohibits participants from sharing prescription or medical data without consent.
GoodRx also falsely stated that it was compliant with the Health Insurance Portability and Accountability Act (HIPAA). The company is not even subject to that law.
Sharing Sensitive Information
Contrary to the company’s promises, the FTC states that GoodRx “shared sensitive information about millions of people” with Facebook, Google, and Criteo.
GoodRx shared this data for advertising purposes “without notice to users, and without obtaining consent.”
The company’s methods were relatively commonplace. The GoodRx app contained third-party pixels and software development kids (SDKs) to collect users’ data and send it to advertisers.
This company shared data including information about users’ prescriptions, their location, and directly identifying information such as their first and last names. GoodRx then targeted users on Facebook and Instagram based on their prescriptions and health conditions.
The company also failed to put proper contracts in place to ensure advertisers and other companies would not further share this data with others.
Understanding HIPAA Compliance
In our latest guide, we discuss the importance of understanding Health Insurance Portability and Accountability (HIPAA) Compliance and the measures required to comply.
Read the full guide by following the below:
Health Breach Notification Rule
GoodRx settled with the FTC under the Health Breach Notification Rule. This is the FTC’s first enforcement action under this law.
The rule is over a decade old and is ostensibly designed to help prevent security breaches. However, in 2019 the FTC made clear that the law is not limited to cybersecurity attacks.
“When a health app, for example, discloses sensitive health information without users’ authorization, this is a ‘breach of security’ under the Rule,” the FTC said in a September 2019 statement.
The Health Breach Notification Rule defines a “breach of security” as the “acquisition” of health information “without the authorization of the individual”. This is what happened in the present case—GoodRx facilitated the acquisition of its users’ health data by Meta, Google, and Criteo.
The drafters might not have had mobile advertising in mind when writing this rule. But the fact that the FTC is enforcing this way implies that the regulator is getting serious about privacy and online advertising.
Notice and consent
The Health Breach Notification Rule is far from the only US law regulating how companies share data for advertising purposes.
HIPAA-covered healthcare providers have been condemned in the press for over how they share data for advertising purposes. And companies in every sector can be subject to the new US state privacy laws taking effect this year.
The GoodRx settlement reiterates how crucial it is for every company to consider transparency and consent before sharing personal information.
All companies operating in the health and pharmaceutical sectors must have a robust compliance program in place, which includes measures to ensure users are making informed, free choices over how their data is shared for advertising and analytics.
To learn more about how we can assist you in meeting your health data needs, you can refer to our healthcare use case.
