Federal Trade Commission commences enforcement action against GoodRx for extraordinary privacy breaches involving sharing consumer sensitive health information for advertising purposes
February 8, 2023 |
The Federal Trade Commission (the “FTC”) has announced enforcement action against GoodRX for a range of signficant breaches of customer’s information. This the first time it is using its powers under the Health Breach Notification Rule.
This case highlights the temptations of monetising personal information to generate sales even if that meant disclosing personal health related information. It also demonstrates that large operations can and often do ignore privacy and data security obligations when using data for financial gain. When the regulator takes action the flaws become very apparent and often make a bad situation much worse.
While the law differs in Australia it is very useful considering these actions because of the methodology the FTC deploys in framing their cases. The technology is the same in Australia and the United States. The issues are the same.
According to the FTC:
- since 2011, GoodRx Holdings, Inc is a “consumer-focused digital healthcare platform” based in Santa Monica, California.
- GoodRx advertises, distributes, and sells:
- health-related products and services directly to consumers, including purported prescription medication discount products branded as “GoodRx” and “GoodRx Gold.”
- telehealth services, branded as “GoodRx Care,” and previously as “HeyDoctor by GoodRx,” and “HeyDoctor,” through its subsidiary HeyDoctor, LLC (“HeyDoctor”) [2].
- since at least 2017, GoodRx promised its users that it would share their personal information, including their personal health information, with limited third parties and only for limited purposes; that it would restrict third parties’ use of such information; and that it would never share personal health information with advertisers or other third parties [3]
- GoodRx offers a platform, available through its website (www.GoodRx.com) or mobile application (“Mobile App”), to search for and compare prescription medication pricing at nearby pharmacies, and to obtain prescription discount cards (the “GoodRx Coupon”). Since January 2017, 55.4 million consumers have visited or used GoodRx’s website or Mobile App [16]
- GoodRx collects:
- users’ personal and health information, and prompts users to provide their email address or phone number, to access electronic coupons and refill reminders [19].
- personal and health information when users register for an account, which is required for GoodRx Gold, the product charging a monthly subscription fee. [20]
- personal and health information from PBMs. When users purchase medication using GoodRx Coupons, the PBM processes the transaction and sends a claims record to GoodRx (“Medication Purchase Data”), containing name, date of birth, and information about the prescription filled [21]
On February 25, 2020, Consumer Reports published an article (the “Consumer Reports article”) reporting that GoodRx was sharing health information with Facebook, Google, and other third parties
The release provides:
The Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug discount provider GoodRx Holdings Inc., for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.
In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect.
“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
California-based GoodRx operates a digital health platform that offers prescription drug discounts, telehealth visits, and other health services. The company collects personal and health information about its users, including information from users themselves and from pharmacy benefit managers confirming when a consumer purchases a medication using a GoodRx coupon. Since January 2017, more than 55 million consumers have visited or used GoodRx’s website or mobile apps.
According to the FTC’s complaint, GoodRx violated the FTC Act by sharing sensitive personal health information for years with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures as required by the Health Breach Notification Rule. Specifically, the FTC said GoodRx:
-
- Shared Personal Health Information with Facebook, Google, Criteo, and Others: Since at least 2017, GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third parties. GoodRx repeatedly violated this promise by sharing sensitive personal health information—including its users’ prescription medications and personal health conditions—with third party advertising companies and advertising platforms like Facebook, Google, and Criteo, and other third parties like Branch and Twilio.
-
- Used Personal Health Information to Target its Users with Ads: GoodRx monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health- and medication-specific advertisements on Facebook and Instagram. For example, in August 2019, GoodRx compiled lists of its users who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles. GoodRx then used that information to target these users with health-related advertisements.
-
- Failed to Limit Third-Party Use of Personal Health Information: GoodRx allowed third parties it shared data with to use that information for their own internal purposes, including for research and development or to improve advertising. It also falsely claimed that it complied with the Digital Advertising Alliance principles, which require companies to get consent before using health information for advertising.
-
- Misrepresented its HIPAA Compliance: GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law that sets forth privacy and information security protections for health data.
-
- Failed to Implement Policies to Protect Personal Health Information: GoodRx failed to maintain sufficient policies or procedures to protect its users’ personal health information. Until a consumer watchdog publicly revealed GoodRx’s actions in February 2020, GoodRx had no sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place.
Health Breach Notification Rule Violation
According to the FTC complaint, as a vendor of personal health records, GoodRx is subject to the Health Breach Notification Rule. GoodRx lets users keep track of their personal health information, including to save, track, and receive alerts about their prescriptions, refills, pricing, and medication purchase history.
GoodRx violated the Health Breach Notification Rule by failing to notify consumers, the FTC, and the media about the company’s unauthorized disclosure of individually identifiable health information to Facebook, Google, Criteo, Branch, and Twilio. The FTC issued a policy statement in September 2021 warning health apps and others that collect or use consumers’ health information that they must comply with the Health Breach Notification Rule. More information on compliance and reporting breaches under the Health Breach Notification Rule are available at the FTC’s Health Privacy page.
Proposed Order
In addition to the $1.5 million penalty for violating the rule, the proposed federal court order also prohibits GoodRx from engaging in the deceptive practices outlined in the complaint and requires the company to comply with the Health Breach Notification Rule. To remedy the FTC’s numerous allegations, other provisions of the proposed order against GoodRx also:
-
- Prohibit the sharing of health data for ads: GoodRx will be permanently prohibited from disclosing user health information with applicable third parties for advertising purposes.
-
- Require user consent for any other sharing: The company must obtain users’ affirmative express consent before disclosing user health information with applicable third parties for other purposes. The order requires the company to clearly and conspicuously detail the categories of health information that it will disclose to third parties and prohibits the company from using manipulative designs, known as dark patterns, to obtain users’ consent to share the information.
-
- Require company to seek deletion of data: The company must direct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches and the FTC’s enforcement action against the company.
-
- Limit Retention of Data: GoodRx will be required to limit how long it can retain personal and health information according to a data retention schedule. It also must publicly post a retention schedule, and detail the information it collects and why such data collection is necessary.
-
- Implement Mandated Privacy Program: It must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data.
The complaint sets out a very concerning practice regarding the misuse of health information by providing that information to social media sites. Relevantly the FTC alleges:
- GoodRx repeatedly shared sensitive user information with third-party advertising companies and platforms like Facebook, Google, and Criteo, and other third parties like Branch and Twilio.
- the information GoodRx shared included:
- its users’ prescription medications and personal health conditions,
- personal contact information, and unique advertising and persistent identifiers.
- GoodRx shared this information without providing notice to its users or seeking their consent.
- GoodRx permitted third parties that received users’ personal health information to use and profit from the information for their own business purposes.
- GoodRx exploited the information shared with Facebook to target GoodRx users with advertisements on Facebook and Instagram. GoodRx matched specific users to their personal health information and designed campaigns that targeted users with advertisements based on their health information all of which was visible to Facebook.
- in August 2019, GoodRx compiled lists of its users who had purchased particular medications, uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook to identify their profiles, and labeled them by the medication they had purchased. GoodRx then targeted these users with health-related advertisements.
- GoodRx integrated third-party tracking tools from Facebook, Google, Criteo, and other third parties into its websites and Mobile App. The tracking tools (including automated web beacons called tracking “pixels” and other automated trackers called “Software Development Kits” (“SDKs”)) collect and send data to third parties so that they can provide advertising, data analytics, or other business services to the owner of the website or mobile app. That information includes users’ contact information, persistent identifiers, location information, and “Events Data,” which is information about users’ activities while using a website or mobile app
- GoodRx tracked and shared:
- “Standard Events,”, which are records of routine website or app functions, such as the fact that a user launched or closed a mobile app or website.
- “Custom Events,” customized records of website or Mobile App interactions unique to the GoodRx user experience. Custom Events have unique, customized names. GoodRx chose descriptive titles that conveyed health information about its users. As a result, at times, when GoodRx shared a Custom Event, it was sharing its users’ health information.
- In 2017, GoodRx configured a Facebook tracking pixel on its GoodRx and GoodRx Gold websites to share Standard and Custom Events, which conveyed user health information to Facebook including:
- the name of the medication for which users accessed a GoodRx Coupon
- the website URL, which in many cases included a medication name; the health condition related to the medication (“Drug Category,” such as “high cholesterol”);
- the medication quantity (“Drug Quantity,” such as “30-day supply”);
- the pharmacy name (“PharmName”);
- the user’s city, state and zip code.
- website microdata with additional information about the prescription medication and health condition(s) for which users accessed GoodRx Coupons. Finally, the pixel collected users’ IP addresses [41]
- \in May 2019, GoodRx configured the pixel to automatically share with Facebook additional personal information, including user first and last name; email address; phone number; city, state, and zip code; and gender [42]
- GoodRx shared additional personal and health information with Facebook through the pixel beginning in December 2019, when it configured certain of its URL addresses to embed user first and last name, email address, date of birth, phone number, and in some instances, prescription medication name. These URLs were shared with Facebook [43]
- In August 2019, HeyDoctor began prompting users to view a GoodRx Coupon for medications prescribed during their telehealth consultation. When a user did so, GoodRx configured the pixel to share information about the prescribed medication with Facebook, through a Custom Event called “drug.” It shared:
- the medication name (such as “nitrofurantoin”);
- dosage (such as “100 mg”);
- form (such as “capsule”);
- whether the user was interested in viewing the GoodRx Coupon (such as “interested: Yes”);
- the name and location of the users’ pharmacy (such as “Pharmacy: Capsule Pharmacy, New York, NY”).
- users’ IP address, and website microdata with additional information about the prescription medication and health condition(s) for which users accessed GoodRx Coupons [45]
- GoodRx configured a Google tracking pixel on its website and an SDK on its GoodRx Mobile App to share Custom Events that conveyed users’ health information with Google, including:
- the name of the medication for which users accessed a GoodRx Coupon (such as “atorvastatin”);
- drug type (such as “generic”); drug quantity (such as “30”); drug dosage (such as “40 mg”); drug form (such as “tablet”);
- pharmacy ID; and related health condition.
- users’ phone number, email address, and zip code, and
- users’ IP address.
- with the Google Android and iOS SDKs:
- shared users’ latitude and longitude coordinates,
- unique advertising IDs, such as IDFA (Apple’s ID for advertisers), AAID (Android’s Advertiser ID),
- Android ID, which may be used to target individuals with advertisements [46]
- In the case of Facebook, GoodRx’s conduct went beyond sharing personal health information. It used and monetized the personal health information it shared to target GoodRx users with advertisements on the Facebook and Instagram platforms through . Through Facebook’s “Ads Manager,” and its “Custom Audiences” GoodRx used the information it shared with Facebook to identify its users who had Facebook and Instagram accounts. GoodRx then grouped the resulting list of users into Custom Audiences that it categorized based on health information (such as an audience of users who took Lipitor); gave its Custom Audiences descriptive titles that in some cases contained medication names or health conditions; and targeted these users with health-related advertisements that marketed GoodRx’s services. In some cases, these targeted advertisements featured specific medications like Viagra or health conditions like erectile dysfunction [48]
- GoodRx built Custom Audiences in two ways:
- .through Custom Audiences based upon Medication Purchase Data. It compiled lists of its users who had used a GoodRx Coupon to purchase particular medications, and uploaded their email addresses, phone numbers, and mobile identifiers to Ads Manager to identify those individuals on Facebook or Instagram.
- creating medication-specific advertising audiences consisting of these users, named each Custom Audience according to the medication they had purchased (for instance, a Custom Audience named “atorvastatin claims,” representing an audience of Facebook or Instagram users who had purchased the medication atorvastatin), and targeted these users with health-related advertisements [49]
- since 2017, GoodRx took no action to limit how Advertising Platforms like Facebook, Google, and Criteo, and other third parties like Branch and Twilio, could use the personal health information it shared with them.
- GoodRx permitted each Advertising Platform to use its users’ personal health information expansively, including for other advertising or for their own internal business purposes despite its promise that it would take steps to ensure that third parties that received personal health information were bound to comply with “federal standards” and “confidentiality obligations,” and HeyDoctor’s promise that it would employ “contractual and technical protections” to limit third-party use of users’ information [52]
- at least one third party (Facebook) used Events Data for its own purposes, including its own research and development and ad optimization purposes. Facebook employees also have had access to GoodRx’s Ads Manager Account, including Custom Audience names that referenced specific drugs or health conditions [53]
- prior to February 2020, despite promises that users could trust GoodRx with their sensitive information, it had no sufficient:
- formal, written, or standard internal data sharing policies or procedures that governed how all types of health and personal information could be shared.
- compliance programs for reviewing and approving all data sharing requests or third-party tracking tool integrations.
- policies or procedures for notifying users of breaches of their personal and health information.
- GoodRx marketing department employees created Custom Events conveying personal health information to third parties without going through any formal review or approval process.
- GoodRx had no any employee, manager, executive, or team formally dedicated to the management or oversight of GoodRx’s company-wide privacy and data sharing practices [54]
- In truth and in fact, GoodRx failed to take steps to limit third-party use of users’ personal health information. Third parties that received personal health information, including Facebook, Branch, Criteo, and Twilio, were permitted to, or did, make use of this information for their own internal business purposes, including for their own research and development or ad optimization purposes. GoodRx took insufficient action to limit what these third parties could do with users’ personal health information, and either agreed to each company’s standard terms of service, or entered into agreements that permitted these third parties to use GoodRx users’ personal health information for their own internal business purposes
- GoodRx users are suffering, have suffered, and will continue to suffer, substantial injury as a result of GoodRx’s violations of the FTC Act and the HBNR.
- GoodRx has also been unjustly enriched as a result of these violations.
- GoodRx’s sharing of personal and health information revealed highly sensitive and private details about its users, most of whom suffer from chronic health conditions. This has led to the unauthorized disclosure of facts about individuals’ chronic physical or mental health conditions, medical treatments and treatment choices, life expectancy, disability status, parental status, substance addiction, sexual and reproductive health, and sexual orientation, as well as other information. Disclosure of this information without authorization is likely to cause GoodRx users stigma, embarrassment, or emotional distress, and may also affect their ability to obtain or retain employment, housing, health insurance, disability insurance, or other services. Moreover, it has increased the risk of further unauthorized disclosures [80].