Skip to content
  • .home
  • .business & economy
  • .tech
  • .ledger of lies

Corruption Ledger

The Public Ledger of Corruption

  • about
  • .corruption
    • banks
    • censorship
    • corporate
    • environment
    • government
    • health
    • journalism
    • misinformation
  • .crime
    • child victims
    • tech crime
    • dimwit crimes
    • financial crime
    • killings
    • shootings
  • .international conflict
    • Israel-Palestine
    • Nordstream
    • Russia vs. West
    • war news
    • war machines
  • .privacy & surveillance
  • .leaks
    • all leaks
    • Wikileaks
  • .regions
    • All Regions
    • Africas
    • North Americas
      • All
      • Canada
      • U.S.
    • Asias
    • Europe
    • Middle East
    • Oceania
  • Toggle search form
  • Polish minister launches bill to extradite Ukrainian Nazi WW2 veteran Hunka from Canada All News
  • Poland: Ukraine is drowning and therefore dangerous All News
  • This China trade war isn’t about semiconductors: Straits Times Business & Economy
  • Airbus Hacker Threatens to Sell US, Europe Military Intel on Dark Web All News
  • Intel-linked UK official pushing censorship of Russell Brand -The Grayzone _enforcement
  • Australia Signs $210 Million Underwater Tracking Contract All News
  • TransUnion denies it was hacked, links leaked data to 3rd party All News
  • 400,000 calls made to Japanese Embassy in China over radioactive water All News

FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising

Posted on February 1, 2023May 26, 2023 By CorruptionLedger No Comments on FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising

 

The Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug discount provider GoodRx Holdings Inc., for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.

In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect.

“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.” 

California-based GoodRx operates a digital health platform that offers prescription drug discounts, telehealth visits, and other health services. The company collects personal and health information about its users, including information from users themselves and from pharmacy benefit managers confirming when a consumer purchases a medication using a GoodRx coupon. Since January 2017, more than 55 million consumers have visited or used GoodRx’s website or mobile apps. 

According to the FTC’s complaint, GoodRx violated the FTC Act by sharing sensitive personal health information for years with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures as required by the Health Breach Notification Rule. Specifically, the FTC said GoodRx:

  • Shared Personal Health Information with Facebook, Google, Criteo, and Others: Since at least 2017, GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third parties. GoodRx repeatedly violated this promise by sharing sensitive personal health information—including its users’ prescription medications and personal health conditions—with third party advertising companies and advertising platforms like Facebook, Google, and Criteo, and other third parties like Branch and Twilio. 
  • Used Personal Health Information to Target its Users with Ads: GoodRx monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health- and medication-specific advertisements on Facebook and Instagram. For example, in August 2019, GoodRx compiled lists of its users who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles. GoodRx then used that information to target these users with health-related advertisements.
  • Failed to Limit Third-Party Use of Personal Health Information: GoodRx allowed third parties it shared data with to use that information for their own internal purposes, including for research and development or to improve advertising. It also falsely claimed that it complied with the Digital Advertising Alliance principles, which require companies to get consent before using health information for advertising.
  • Misrepresented its HIPAA Compliance: GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law that sets forth privacy and information security protections for health data.
  • Failed to Implement Policies to Protect Personal Health Information: GoodRx failed to maintain sufficient policies or procedures to protect its users’ personal health information. Until a consumer watchdog publicly revealed GoodRx’s actions in February 2020, GoodRx had no sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place. 

Health Breach Notification Rule Violation

According to the FTC complaint, as a vendor of personal health records, GoodRx is subject to the Health Breach Notification Rule. GoodRx lets users keep track of their personal health information, including to save, track, and receive alerts about their prescriptions, refills, pricing, and medication purchase history. 

GoodRx violated the Health Breach Notification Rule by failing to notify consumers, the FTC, and the media about the company’s unauthorized disclosure of individually identifiable health information to Facebook, Google, Criteo, Branch, and Twilio. The FTC issued a policy statement in September 2021 warning health apps and others that collect or use consumers’ health information that they must comply with the Health Breach Notification Rule. More information on compliance and reporting breaches under the Health Breach Notification Rule are available at the FTC’s Health Privacy page.

Proposed Order

In addition to the $1.5 million penalty for violating the rule, the proposed federal court order also prohibits GoodRx from engaging in the deceptive practices outlined in the complaint and requires the company to comply with the Health Breach Notification Rule. To remedy the FTC’s numerous allegations, other provisions of the proposed order against GoodRx also:

  • Prohibit the sharing of health data for ads: GoodRx will be permanently prohibited from disclosing user health information with applicable third parties for advertising purposes.
  • Require user consent for any other sharing: The company must obtain users’ affirmative express consent before disclosing user health information with applicable third parties for other purposes. The order requires the company to clearly and conspicuously detail the categories of health information that it will disclose to third parties and prohibits the company from using manipulative designs, known as dark patterns, to obtain users’ consent to share the information.
  • Require company to seek deletion of data: The company must direct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches and the FTC’s enforcement action against the company.
  • Limit Retention of Data: GoodRx will be required to limit how long it can retain personal and health information according to a data retention schedule. It also must publicly post a retention schedule, and detail the information it collects and why such data collection is necessary.
  • Implement Mandated Privacy Program: It must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data.

The Commission voted 4-0 to refer the complaint and stipulated final order to the Department of Justice for filing. Commissioner Christine S. Wilson issued a concurring statement. The DOJ filed the complaint and stipulated order in the U.S. District Court for the Northern District of California.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.

The lead staff attorney on the GoodRx matter was Ronnie Solomon of the FTC’s Bureau of Consumer Protection.

Related

https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising

Compliance Regulation, corporate corruption, Corruption, health, Regulatory News, Surveillance & Privacy Tags:All Regions, Corruption, FTC, Region Americas, Region US, regulatory and enforcement, regulatory-compliance

Post navigation

Previous Post: La Baguette LLC, Dynamic Integrated Solutions Inc, Priority Acquisitions Inc: False Claims Act – Improper Paycheck Protection Program Loans
Next Post: NZ, Australia want ‘urgent’ answers over Saudi sponsorship of Women’s World Cup

You must log in to post a comment.

Wall of Shame

  • Censorship & Access to Information
  • Environmental Collapse
  • Journalism
  • In Court
  • Enforcement
  • Free Speech: What’s it good for?

Recent

  • Polish minister launches bill to extradite Ukrainian Nazi WW2 veteran Hunka from Canada
  • Poland: Ukraine is drowning and therefore dangerous
  • This China trade war isn’t about semiconductors: Straits Times
  • Airbus Hacker Threatens to Sell US, Europe Military Intel on Dark Web
  • Intel-linked UK official pushing censorship of Russell Brand -The Grayzone
  • Australia Signs $210 Million Underwater Tracking Contract
  • TransUnion denies it was hacked, links leaked data to 3rd party
  • 400,000 calls made to Japanese Embassy in China over radioactive water
  • Tornado at Pfizer plant accentuates US drug shortage issues
  • UK intelligence spun 2013 Syria chemical attack, leaked docs show
About CL
Shootings | Air Force and Aerospace
Rumble Video from CL
  • Foxconn dumps $26 billion Vedanta chip plan in blow to India All News
  • Erdogan thanks Putin for his help on Turkish nuclear plant All News
  • DOJ: Two Arrested for Operating Illegal Overseas Police Station of the Chinese Government _enforcement
  • Abortion pill order latest ruling by Texas judge _enforcement
  • UBS to impose Credit Suisse ban on new clients from high-risk countries All News
  • Epstein continued socializing with A-listers despite conviction – media banks

Copyright © 2022 Corruption Ledger. This web site contains no ads.