The FTC fines a drug discount app for leaking user information to Facebook and Google

The Federal Trade Commission has fined prescription drug discount app GoodRx $1.5 million for unauthorized sharing of customers’ identifiable health information with third parties like Facebook and Google. This is the first time the agency has taken enforcement action under its Health Breach Notification Rule, which requires personal health record providers to notify customers when their data has been breached. While the rule has applied to companies that manage health records since 2009, FTC commissioners voted to extend it to health apps in 2021.

According to the FTC, the California-based telemedicine service has repeatedly violated the rule by sharing customers’ personal health information, including their medical conditions and the medications they take. Additionally, it shared its information with companies that have third-party advertising platforms like Facebook, Google, and Criteo, despite promising customers it would never do so. According to the FTC, GoodRx also monetized its customers’ information. For example, in 2019, it uploaded the email addresses, phone numbers, and mobile advertising IDs of users who bought certain medications on Facebook in order to target them with health-related ads.

In addition to fining GoodRx $1.5 million, the FTC is also seeking to change the way the company handles user information. In its proposed court order (PDF) against the company, it listed several provisions, including prohibiting the service from sharing user data for advertising purposes. For other purposes, it would like to require GoodRx to first obtain consent from customers before sharing their health information with third parties. The FTC also wants GoodRx to get the third parties with whom it has shared data to delete its customers’ information, and it wants the company to put in place a comprehensive privacy program that protects user information.

Samuel Levine, director of the FTC’s Consumer Protection Bureau, said in a statement:

“Digital health companies and mobile apps should not monetize consumers’ highly sensitive and personally identifiable health information. The FTC announces that it will use all of its legal authority to protect American consumers’ sensitive information from misuse and illegal exploitation.”

All products recommended by Engadget are selected by our editorial team independently from our parent company. Some of our stories contain affiliate links. If you buy something through one of these links, we may receive an affiliate commission. All prices are correct at time of publication.

Leave a Reply

Your email address will not be published. Required fields are marked *