Image by Alan Warburton / © BBC / Better Images of AI / Medicine / CC-BY 4.0

GoodRx, a telemedicine company, is facing a $1.5 million fine from the Federal Trade Commission (FTC) for sharing users’ sensitive health information with tech giants like Google and Facebook. The FTC's proposed order would prohibit GoodRx from sharing this data with third parties for advertising purposes. The FTC's action comes after an investigation by Consumer Reports, a non-profit consumer advocacy organization, showed that GoodRx was sharing information on users’ prescriptions with more than 20 companies, including Google and Facebook.

This is the first FTC action under the Health Breach Notification Rule, which requires companies to notify users when their health data is infringed upon. The rule also includes safeguards aimed at protecting consumer data. GoodRx, which provides prescription discount coupons and telehealth services, allowed users to track their personal health data, including their prescription medications and health conditions. The company collected this information from users and from pharmacy benefit managers.

According to the FTC, GoodRx uploaded users’ email addresses, phone numbers, and mobile advertising IDs to Facebook and used that information to target users with relevant ads. GoodRx also monetized users’ health data to target them with health and medication-specific ads on Facebook and Instagram. The company shared data with third parties for research, development, or advertising purposes without getting consent. GoodRx also misrepresented its HIPAA compliance and failed to maintain sufficient policies to protect users’ personal health information.

GoodRx disputes the FTC's allegations, saying the order "focuses on an old issue that was proactively addressed almost three years ago." The company says it has entered into the settlement to avoid the time and expense of protracted litigation. In addition to the fine, the order requires GoodRx to direct third parties to delete consumer health data shared with them, get users’ consent before sharing health data with third parties for purposes other than ads, limit how long it can retain personal health information, and create a privacy program to protect such data.

The FTC has issued a warning to health apps and others that collect or use consumers’ health information that they must comply with the Health Breach rule. The action against GoodRx shows that the FTC means business and that companies like Facebook, who received the data, are on notice that they were in receipt of data that was illegally collected.