Telemedicine platform GoodRx said that, for expediency's sake, it was signing off on an agreement with the Federal Trade Commission to pay a fine and undertake privacy measures after it was accused of sharing customers’ health information with advertisers without getting permission.
If it weren’t intent on putting the matter behind it, the company said, it would challenge the agency’s charge that its actions fall under a disclosure requirement, called the Health Breach Notification Rule (HBNR), that took effect in in 2009 but has never before been applied to a company with its kind of business model.
“We believe this is a novel application of [HBNR],” the company said February 1, when the settlement was announced.
Accountability gap
The FTC said HBNR is intended to cover companies that don’t fall under the Health Insurance Portability and Accountability Act (HIPAA), which has been in effect since 1996 and includes privacy provisions that apply to healthcare providers, insurers and other businesses that are part of the mix, like claims processors and billing companies.
Tech companies like GoodRx that offer health-related services to consumers using an app or other connected device aren’t covered by HIPAA, FTC says, so HBNR is a way to hold them accountable for how they handle the personal health information they collect from users. GoodRx has had some 55 million people use its app and website since it was founded in 2015, according to a Stat report.
“This rule imposes some measure of accountability on tech firms that abuse our personal information,” FTC Chair Lina Khan said in 2021 when the agency announced its intention to apply HBNR to tech companies.
Automated sharing
GoodRx said the data breach at issue involves a Facebook Javascript tracking pixel, which shares IP addresses and web page URLs with advertisers and continues to be routinely used by companies and even government agencies. “We do not agree with the assertion that this was a violation of the HBNR,” the company said.
In any case, it stopped using the pixel almost three years ago, before the FTC contacted it about its practices, the company said. “We led the industry by removing the standard Facebook Javascript pixel,” it said.
In its complaint, the FTC alleged GoodRx collected identifiable personal information from people who used its app or visited its website and shared it with advertisers without consent. The information included details about drug and health conditions they searched for and the prescription medications they ordered.
“Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information,” Samuel Levine, the FTC’s director of consumer protection, said in a statement. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
In settling with the FTC, GoodRx agreed to pay a $1.5 million fine and follow protocols for collecting, managing and deleting people’s data and reporting on its compliance effort. The company said it put in extensive data privacy measures years ago, so meeting the requirements should be straight-forward.
“We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations,” the company said. “We are glad to put this matter behind us so we can continue focusing on being a trusted source for Americans to find affordable and convenient healthcare.”
