GoodRx Leaked User Health Data to Facebook and Google, F.T.C. Says

Tens of millions of People have used GoodRx, a drug low cost app, to seek for decrease costs on prescriptions like antidepressants, H.I.V. medicines and coverings for sexually transmitted illnesses at their native drugstores. However U.S. regulators say the app’s coupons and comfort got here at a excessive value for customers: wrongful disclosure of their intimate well being info.

On Wednesday, the Federal Commerce Fee accused the app’s developer, GoodRx Holdings, of sharing delicate private information about customers’ prescription medicines and sicknesses with corporations like Fb and Google with out authorization.

The corporate’s information-sharing practices, the company mentioned, violated a federal rule requiring well being apps and health trackers that accumulate private well being particulars to inform customers of information breaches.

Whereas GoodRx agreed to settle the case, it mentioned it disagreed with the company’s allegations and admitted no wrongdoing.

The crackdown on GoodRx comes at a second of heightened concern over the leaking of delicate well being info, notably in states which have banned or severely restricted abortions. And it underscores the F.T.C.’s intensifying efforts to push digital well being companies to beef up their consumer privateness and safety protections.

The F.T.C.’s case in opposition to GoodRx may upend widespread user-profiling and ad-targeting practices within the multibillion greenback digital well being trade, and it places corporations on discover that regulators intend to curb the practically unfettered commerce in customers’ well being particulars.

During the last twenty years, start-ups and big tech corporations have launched a spread of health gadgets, smartwatches and fertility apps. However in contrast to an individual’s blood check outcomes and different affected person info collected by medical doctors and hospitals — which is protected by a federal regulation, the Well being Insurance coverage Portability and Accountability Act, referred to as HIPAA — there are few authorized protections that particularly cowl private well being particulars, just like the names of medicine or illnesses, that tens of tens of millions of customers enter into apps or seek for on-line.

In 2019, GoodRx uploaded the contact info of customers who had purchased sure medicines, like blood stress drugs, to Fb in order that the drug low cost app may establish its customers’ social media profiles, the F.T.C. mentioned in a authorized grievance. GoodRx then employed the non-public info to focus on customers with adverts for medicines on Fb and Instagram, the company mentioned.

These information disclosures, the company mentioned, flouted public guarantees the corporate had made to “by no means present advertisers any info that reveals a private well being situation.”

If a decide approves the proposed federal settlement order, GoodRx could be completely barred from sharing customers’ well being info for promoting functions. To settle the case, the corporate additionally agreed to pay a $1.5 million civil penalty for violating the well being breach notification rule.

The F.T.C. is using new authorized approaches and cures within the GoodRx case as a part of its effort to bolster safeguards for the non-public info collected by well being apps, trackers and websites.

That is the primary time that company has introduced an enforcement motion utilizing its Well being Breach Notification Rule. That rule requires well being apps and related gadgets that accumulate or use private well being info, like a person’s coronary heart price or menstruation historical past, to inform customers of breaches like cyberattacks or the unauthorized sharing of their well being information. That is additionally the primary time {that a} proposed F.T.C. consent order is looking for to ban an organization from sharing customers’ well being information for promoting functions.

“Digital well being corporations and cellular apps shouldn’t money in on customers’ extraordinarily delicate and personally identifiable well being info,” Samuel Levine, director of the F.T.C.’s bureau of shopper safety, mentioned in an announcement. “The F.T.C. is serving discover that it’s going to use all of its authorized authority to guard American customers’ delicate information from misuse and unlawful exploitation.”

GoodRx, primarily based in Santa Monica, Calif., mentioned in an announcement that consumer privateness was one among its most necessary priorities. The corporate added that the settlement with the company targeted on points that GoodRx resolved three years in the past, earlier than the F.T.C. inquiry started.

“Whereas we had used vendor applied sciences to promote in a approach that we consider was compliant with all relevant rules and that continues to be widespread observe amongst many well being, shopper and authorities web sites, we’re proud that we took motion to be an trade chief on privateness practices,” the GoodRx assertion mentioned.

It is a growing story. Verify again for updates.