The Federal Trade Commission (FTC) fined GoodRx Holdings Inc. $1.5 million in a first-of-its-kind move for purportedly sharing customers' sensitive health information with Facebook, Google, and other third parties without their consent, as reported first by AP on Wednesday, Feb. 1.
According to a settlement, the California-based GoodRx has also agreed that it will no longer be permitted to share customer health information with other parties for advertising purposes.
"No Wrongdoing"
However, GoodRx argued in a blog post that it admitted no wrongdoing in the alleged sharing of personal data.
It said that the settlement is centered on an "old issue" that was already addressed nearly three years ago before FTC conducted an inquiry.
"We do not agree with the FTC's allegations and we admit no wrongdoing. Entering into the settlement allows us to avoid the time and expense of protracted litigation. We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations," GoodRx wrote in its blog post.
The FTC's complaint alleges that GoodRx broke the FTC Act by disclosing private health information with advertising platforms and companies for years in violation of its privacy commitments and failing to notify these unauthorized disclosures as required by the Health Breach Notification Rule.
Health Breach Notification Rule
The Health Breach Notification Rule is the law established in 2009 that applies to companies that sell personal health records and other providers not covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
This is the first time that such a move was enforced under the 2009 law.
It happened three years after Consumer Reports found that GoodRx was giving more than 20 companies access to people's private health information.
"Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information," Samuel Levine, Director of the FTC's Bureau of Consumer Protection, said in a press release statement.
However, GoodRx said that it has "proactively" addressed the issue and that in 2020 it enforced updates consistent with its commitment to protecting the personal data of its users.
GoodRx also claims to have assisted clients in saving more than $45 billion since 2011.
Since January 2017, more than 55 million customers have accessed GoodRx's website or mobile apps, according to the FTC.
It claimed that the company gathers user-provided personal and health data and information from pharmacy benefit managers, or PBMs, which verify whether one of its coupons has been used to make a purchase.