The Federal Trade Commission (FTC) reported a crackdown on the prescription drug coupon site, GoodRx. The legal action is one of what is likely to be an increasing number of fines issued to telehealth companies profiting from sharing consumers’ health data with advertisers, among other infractions. Under its Health Breach Notification, the FTC took enforcement action, imposing a $1.5 million civil penalty against GoodRx.
The FTC press release published on February 1 explained that GoodRx operates a California-based digital health platform making prescription drug discounts, telehealth visits, and other health services available to consumers. It collects personal and health information about its users from users and pharmacy benefit managers who confirm when a consumer purchases a medication using a GoodRx coupon. More than 55 million consumers have visited or used GoodRx’s website or mobile apps since January 2017.
The FTC’s Complaint Against GoodRx
In addition to “deceptively” promising users that it would never share personal health information (PHI), the FTC press release states that GoodRx repeatedly failed to notify consumers and others of its unauthorized sharing of consumer health data to Facebook, Google, Criteo, and other companies, including third parties such as Branch and Twilio.
GoodRx is also being accused of the following:
Used Personal Health Information to Target Users with GoodRx Ads. The FTC claims that users’ personal health information was monetized by GoodRx in a process that involved sharing user data with advertisers behind the scenes to target those same users with personalized health and medication-specific advertisements on their Facebook and Instagram pages. The example given by the FTC website states:
For example, in August 2019, GoodRx compiled lists of its users who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles. GoodRx then used that information to target these users with health-related advertisements.
Failed to Limit Third-Party Use of Personal Health Information. While falsely claiming that it complied with the Digital Advertising Alliance principles, which require companies to consent before using health information for advertising, GoodRx allowed third parties to use that information for their internal purposes, such as for research and development or to improve advertising.
Misrepresented its HIPAA Compliance. The GoodRx telehealth services homepage falsely displayed a seal suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Failed to Implement Policies to Protect Personal Health Information. Before a consumer watchdog publicly revealed GoodRx’s actions in February 2020, it lacked sufficient formal, written, or standard privacy or data-sharing policies or compliance programs.
FTC Civil Penalties Against GoodRx
In the proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with third parties for advertising. GoodRx has reportedly agreed to pay a $1.5 million civil penalty. The next step outlined in the FTC press release is that the proposed order must be approved by the federal court before going into effect.
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, stated:
Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information…. The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.
3. How do we share information with others?
We may share your information with companies that we work with or provide services to us in the ways described below.
A. Affiliates and Subsidiaries
We may share information with our subsidiaries and affiliated companies for business and operational purposes.
B. Service Providers and Third Parties
We may share your information with the following service providers and third parties to perform services on our behalf such as:
- Data warehouses, servers, and storage providers
- Data analytic, data connectivity and customer data providers and platforms
- Customer engagement or relationship management platforms
- Advertising networks, advertising software tools, advertising servers, advertisers, sponsors and partners that market and advertise to you and measure performance of marketing and advertisements
- Cloud computing providers
- Survey and customer feedback providers and platforms
- Mailing houses and delivery services
- Data providers
- Software development tools
- Referral program platforms
- Pharmacies, healthcare providers, pharmaceutical manufacturers, copay card providers, insurance plans and other entities in the healthcare ecosystem
- Data providers, email delivery, and analytics software
- Text delivery and analytics platform
- Customer service software
- Patient advocacy support providers to handle your requests
- Privacy management platform, such as to manage deletion requests
- Prepaid card and gift card vendor
- Credit card and payment processers that process your credit card information (in cases where you provide us with your credit card information) and track payments
- Information security, fraud detection and prevention providers
- Identity and professional credential verification providers
- Auditors, third parties conducting security assessments and services, law firms, staff augmentation firms and other professional services providers
What’s Happening with Privacy?
Action against telehealth companies has been making recent headlines following numerous studies on the lack of privacy in mental health apps and some of the largest and most well-known telehealth companies. In a recently released review of 50 leading telehealth platforms, 49 were found to have suspicious activity about sharing protected health information for advertising purposes. As suggested above, existing privacy practices and disclosures to the public are being reviewed by authorities. Clinicians reading this and related Telehealth.org articles are encouraged to consider these recent events when suggesting that clients and patients use named digital services.
This article is published as a collaborative effort between Telehealth.org and the California-based Telehealth Institute, a nonprofit newsroom investigating how technology is being used to change healthcare. Sign up for newsletters here.
Essential Telehealth Law & Ethical Issues
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!
Therapist AI & ChatGPT: How to Use Legally & Ethically
Immerse yourself in our highly-engaging eLearning program and delve into the uncharted territory of Artificial Intelligence (AI) in Behavioral Healthcare!
Telepractice: Telehealth Law & Ethics Implementation Workshop
Comply with federal, state, national accreditation and association requirements for telehealth documentation.