GoodRx Leaked User Health Data To Facebook and Google, FTC Says

An anonymous reader quotes a report from The New York Times: Millions of Americans have used GoodRx, a drug discount app, to search for lower prices on prescriptions like antidepressants, H.I.V. medications and treatments for sexually transmitted diseases at their local drugstores. But U.S. regulators say the app's coupons and convenience came at a high cost for users: wrongful disclosure of their intimate health information. On Wednesday, the Federal Trade Commission accused the app's developer, GoodRx Holdings, of sharing sensitive personal data on millions of users' prescription medications and illnesses with companies like Facebook and Google without authorization. [...]

From 2017 to 2020, GoodRx uploaded the contact information of users who had bought certain medications, like birth control or erectile dysfunction pills, to Facebook so that the drug discount app could identify its users' social media profiles, the F.T.C. said in a legal complaint. GoodRx then used the personal information to target users with ads for medications on Facebook and Instagram, the complaint said, "all of which was visible to Facebook." GoodRx also targeted users who had looked up information on sexually transmitted diseases on HeyDoctor, the company's telemedicine service, with ads for HeyDoctor's S.T.D. testing services, the complaint said. Those data disclosures, regulators said, flouted public promises the company had made to "never provide advertisers any information that reveals a personal health condition."

The company's information-sharing practices, the agency said, violated a federal rule requiring health apps and fitness trackers that collect personal health details to notify consumers of data breaches. While GoodRx agreed to settle the case, it said it disagreed with the agency's allegations and admitted no wrongdoing. The F.T.C.'s case against GoodRx could upend widespread user-profiling and ad-targeting practices in the multibillion-dollar digital health industry, and it puts companies on notice that regulators intend to curb the nearly unfettered trade in consumers' health details. [...] If a judge approves the proposed federal settlement order, GoodRx will be permanently barred from sharing users' health information for advertising purposes. To settle the case, the company also agreed to pay a $1.5 million civil penalty for violating the health breach notification rule.

Obligatory

[Virtucon]

Target [forbes.com] and every other retailer already knows that.

Slap on the wrist

[FlyingALittleTooHigh]

How is a mere $1.5m fine supposed to curb data sharing practices amongst this or other companies? On the contrary, I suspect that for certain large companies dependent upon advertising revenue, like Facebook and Google, such measly fines only serve as a green light to proceed with business as usual.

Re:Slap on the wrist

[currently_awake]

Why was this not prosecuted as a HIPA violation, and people put in prison? I would think HIPA(criminal law) would override the terms of service(civil law) for the website.

Re:

[Sir Holo]

Agreed. GoodRx seemed scammy from first glance. As it turns out, it was.

Typo correction: HIPAAA.

Re:

[Sir Holo]

Gah.

HIPAA

Re:

[ArchieBunker]

It’s HIPAA and it doesn’t apply to them.

Re:

[sound+vision]

HIPAA is a complex law. People like to condense it to "Nobody is allowed to give out any of your medical information", which is not what it says at all, although that's probably a good assumption to make for low-level healthcare workers.

I am guessing the privacy provisions don't apply to an entity that just does comparison shopping for drugs.

How unexpected!

[fbobraga]

I don't believe this! /s

Re:

[gosso920]

[shockedpikachu.jpg]

As if Facebook & Google already didn't know

[thesjaakspoiler]

If you're so concerned with your privacy, you shouldn't have a Facebook or Google account.
And take the opportunity to read the 73 page fine print that came with GoodRX before you pushed that accept button.

That's pretty light for HIPAA penalties.

[w3woody]

From 2017 to 2020, GoodRx uploaded the contact information of users who had bought certain medications, like birth control or erectile dysfunction pills, to Facebook so that the drug discount app could identify its users' social media profiles, the F.T.C. said in a legal complaint. GoodRx then used the personal information to target users with ads for medications on Facebook and Instagram, the complaint said, "all of which was visible to Facebook."

This strikes me as a willful data breach of HIPAA privacy rules, as it was not done accidentally but deliberately in order to identify social media profiles in a manner visible to Facebook, and it clearly was not corrected "in a reasonable time frame", as required by HIPAA rules, as this shit went on for three years.

That's a category 4 violation of HIPAA privacy rules, and the penalty for such a violation is $50,000 per violation with a maximum for $1.5 million per year.

Essentially GoodRx admitted to violating HIPAA privacy laws in an egregious and willful manner, and is paying the full fare for the fine.

The part that amazes me, however, is that this cap of $1.5 million was written for small practices and for individual doctors--not for large corporations like GoodRx, where $1.5 million is basically a rounding error on their financials. Essentially, by doing this, we've shown that--as we move towards consolidating practices under large HCOs where $1.5 million is essentially a write-off for the cost of doing business, our personal private medical information is simply not safe. For $1.5 million, you too can mine the health data records of tens or hundreds of thousands of patients.

This tells me Congress needs a new class of penalty here, which removes the cap for large entities. Especially now, as we're seeing Silicon Valley tech companies enter the health care space, where "move fast and break things" is a mantra, and where a $1.5 million dollar "penalty" is considered a minor tax write-off.

Re:

[Anonymous Coward]

Despite HIPAA it was obvious GoodRx was going to do this. Why would some random company decide to get involved with the scam-filled insurance and health industries except to turn a profit? They offer "free" "discounts." The only possible way they could be doing that is by collecting the personal information for profit.

And yes, I meant "discounts" because in fact medications cost a fraction of what you pay out of pocket. The whole medical complex is set up to bilk regular people and extract maximum profit fr

Mixed feelings

[Powercntrl]

Money is usually pretty tight for me, and I've used GoodRX for exactly that reason. Having known they were going to sell my information to advertisers in exchange for the discount, I still would've done it. It's all well and good to take a principled stand when it isn't a decision between filling your prescription or making this month's rent.

I certainly do think GoodRX should've been more upfront about what they were doing, but I believe it should ultimately be the decision of the user if trading some personal information for more affordable drugs is worth it. For some of us, it is. Welcome to healthcare in America
.

Re:

[Opportunist]

And there is nothing wrong with this. Tell your customer "these drugs are cheap, because we will sell that information and cover the cost that way" is perfectly fine in my books. You're trading your privacy for a discount on pharmaceuticals. That is ok.

The problem is not saying so. Yes, yes, TANSTAAFL and all that, but in the end, it could just be that they brokered a cheaper deal for some reason. Better conditions because of larger volume, because they waived certain liability rights, whatever. They could

Re:

[Harvey Manfrenjenson]

I wonder if GoodRx still collects your data if you just use their website, instead of their app? What if you use it in private mode? AFAIK the website gives you all the same functions as the app (comparing prices, printing coupons).

I've never understood why anyone would download an app that just duplicates the function of a website.

Re:

[CaptQuark]

If you install the app, the company knows exactly who you are. If you visit their website, there are ways to mask your identity or log in with alternate credentials. The companies know this and push to get you to install their apps as often as possible.

It's also easier for normal users to find a specific app on their phone rather than opening a browser and navigating to a specific website, log in with the appropriate credentials, and sometimes get past the 2FA that the site requires. The installed app is

Re:

[Harvey Manfrenjenson]

All very true, and of course the app *also* means that you have given the company valuable real estate on a screen that you look at a hundred times a day.

In the case of goodrx, you don't even have to log in or create an account to use their website... you just type goodrx.com into your browser and you're ready to go. So there's even less reason than usual to use their app.

Like the OP, I think goodrx provides a useful service. (You'll often find that the same medication costs 10x less at one pharmacy vs an

Re:

[CaptQuark]

Like the OP, I think goodrx provides a useful service. (You'll often find that the same medication costs 10x less at one pharmacy vs another, and you'll sometimes find that it's available out of pocket for less than the cost of your insurance copay).

My reply was about installing an app vs just going to a company's website.

I agree that GoodRX is providing a helpful service. We went to a retailer to purchase a medical item. We asked about the price and were told it was (approximately) $100 if you were using insurance and $14 if you were paying directly. The retailer knew that $14 was the real-world value of the item, but was willing to keep the $100 price on the books for insurance payments. It's possible that other industries (car repair, home repai

Re:

[BeaverCleaver]

Obligatory XKCD: https://xkcd.com/1174/ [xkcd.com]

Leaked?

[Opportunist]

Or sold?

Leaked To Secure Location

[zenlessyank]

It went to Google and Facebook, which are wholesome companies who would never disclose private information, so no worries here.

You know what's most telling?

[Rosco P. Coltrane]

Google and Facebook accepted the data.

And they won't be sued.

Re:

[wildfish]

They should be equally guilty for holding health information. Sort of like accepting stolen goods or perhaps owning an illegal drug. Heath information should be illegal to store.

"Leaked" is not the word I would've used

[lanerj]

Leak is when someone gets hacked, or a disgruntled employee sends out an unreleased design. I feel like a willing disregard for HIPAA protected medical information should be called something else, like "shared" or "delivered" data.

Well there goes your health insurance....

[alanambrose]

The health insurance benefit for consumers relies on *not knowing* who is going to get ill. That's the point of all insurance - to spread the financial penalty of random-ish downside risk. So, if and when everyone's health data is exposed to tip off the insurance companies, then they'll 'risk manage' you so that you'll pick up your own special flavor (i.e. more expensive) version of downside risk. You wont even know why your renewal is being refused.