The FTC in early February ruled that GoodRx has violated patient privacy and HIPAA by sharing their data with third parties for advertising purposes. The FTC claims that GoodRx's practices violate their promises to users about how their data are used. The FTC also says this practice constitutes a data breach under HIPAA's breach reporting rule.
Why It Matters
The FTC is not just punishing GoodRx for false promises to consumers. It has also cited GoodRx for violating the HIPAA breach rule. Usually, a company's intentional disclosure of data to business partners (as opposed to data being taken from the company without its permission) is not considered a "breach" in the security sense. If purposeful disclosures are now deemed a "breach," companies covered by HIPAA have an even greater incentive to make sure their behavior is in line with what they promise consumers/patients.
According to the FTC, this health information that was shared with third parities was used to target GoodRx users with personalized health and medication-specific ads. The FTC specifically pointed to an August 2019 example of GoodRx compiling lists of users who had bought certain medications and uploading their email addresses, phone numbers and mobile ad IDs to Facebook so that it could target these users with related ads on Facebook and Instagram.
The commission also said GoodRx allowed the parties it shared data with to use that information for their internal purposes, including for research and development or to improve advertising, and falsely asserted that it complied with the Digital Advertising Alliance's principles, which mandate that companies obtain consent before using health information for advertising.