The price comparisons and coupons GoodRx provides can save money on prescription drugs, and Consumer Reports and other organizations have recommended it in the past.
But people who use GoodRx and many other health apps might be surprised to learn that what happens to even intimate details about their health has essentially been unregulated.
Consumer Reports found in 2020 that GoodRx was sharing information on its users’ prescriptions with more than 20 companies, including the advertising technology giants Google and Facebook.
According to the FTC complaint filed today in U.S. District Court for the Northern District of California, that’s when the issue first came to light, prompting reforms at the company and an internal review at Facebook.
The CR investigation found that if you were looking for discounts on Lexapro (an antidepressant), PrEP and Eduran (for HIV), Cialis (for erectile dysfunction), Clomid (used in fertility treatments), or Seroquel (an antipsychotic), that fact was shared behind the scenes.
Along with the names of the medications, Google, Facebook, and other companies received information that could be used to identify the phone or laptop being used and therefore pinpoint who was probably doing each search. GoodRx customers that CR spoke with at the time were surprised that such intimate information was being shared with marketing companies.
In response to CR’s reporting, GoodRx said it would make some changes to its data practices, including giving users a form they could use to ask the company to delete their data.
The FTC says its own investigation showed that GoodRx compiled lists of users who had purchased specific medications “such as those used to treat heart disease and blood pressure” and uploaded their email addresses, phone numbers, and “advertising IDs” set by their phones to Facebook in order to target those GoodRx customers with health-related ads. That’s probably not the way many consumers thought their GoodRx searches were being handled.
In a written statement GoodRx said: “The settlement with the FTC focuses on an old issue that was proactively addressed almost three years ago, before the FTC inquiry began. We do not agree with the FTC’s allegations and we admit no wrongdoing.” The statement also said, “Entering into the settlement allows us to avoid the time and expense of protracted litigation.”
The only law covering medical data that most people have heard of is HIPAA, the Health Insurance Portability and Accounting Act, but it’s tangential to the FTC’s case against GoodRx. That law applies narrowly to entities such as healthcare providers, health insurers, and medical labs, along with companies they sign formal “business associate” agreements with, to handle billing and so on.
So, for example, if you tell your psychiatrist that you have a history of bipolar disorder, HIPAA applies. But look up bipolar symptoms on WebMD or download a coupon for a bipolar disorder medication from GoodRx, and that law doesn’t apply.
CR has found technology companies being notified of visits to Weight Watchers and even Planned Parenthood. We’ve found similar issues with mental health apps, though if you use them to begin in-app telehealth appointments with a psychologist, those sessions are covered.
Until now, companies that aren’t covered by HIPAA felt free to do just about anything with health information gleaned from apps and websites. The details weren’t treated with much more restraint than online searches for running shoes or restaurant reviews.
Instead of HIPAA, the FTC says that GoodRx ran afoul of something called the Health Breach Notification Rule. (The agency also says GoodRx misled users about how their data would be used, but that part of the complaint doesn’t have broad, new implications for users of other apps and websites.)
The details are complicated, but in essence, the FTC is interpreting that rule to mean that if a company releases your “personal health information” to people or organizations without your permission, the company must notify both you and the FTC. That applies not just to conventional data breaches—a hacker breaks into a database—but also to business arrangements where the company shares information deliberately.
“Digital health companies and mobile apps should not cash in on consumer’s extremely sensitive and personally identifiable health information,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a public statement. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
Back in 2021, the FTC acknowledged that it had never enforced the Health Breach Notification Rule but signaled that it was taking a closer look. In a policy statement, it listed a number of examples where the rule would apply, including mobile apps that draw data from fitness trackers, or ones that combine blood sugar data with information from the user’s calendar app.
That potentially covers many popular products and services that were never covered by HIPAA or other federal privacy laws, including, the policy statement said, “apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas.”
An FTC spokesperson declined to comment on other investigations, and it’s not yet clear how much of an impact the FTC’s new enforcement efforts will have.
“If companies just update license agreements to include consent for all sorts of sharing, that won’t do much to help consumers,” says CR’s Brookman. “But I suspect the FTC will say that’s not good enough—that’s not really meaningful consent. Fortunately, we’re seeing a trend from policymakers around the world to move away from treating vague boilerplate waivers as a way to get permission to share whatever data they like.”
