GoodRX leaked user health data to tech giants, FTC says

You can in essence track everything related to your health or physical activity on health-related apps. The Moon has a dark side too, though. It turns out one of the apps, GoodRx, has been leaking your data to firms like Facebook and Google.

GoodRx, the popular drug discount app, secretly and without authorization, shared details on users’ illnesses and medicines with companies like Facebook and Google, the US Federal Trade Commission said in a consumer alert.

The app has been used by millions of Americans, eager to find lower prices on prescriptions like antidepressants, HIV medications, or treatments for other diseases.

The FTC now says all this came at a high cost – since at least 2017, GoodRx has been sharing users’ sensitive health data with firms that then use the information for ad-targeting.

According to the regulators, the digital health platform “broke its promises to users about how it would use and share their personal health information.” GoodRx, the FTC says, shared data about users’ health conditions and prescription drugs with tech giants without users’ permission – and contrary to what it told users in its privacy policy.

“GoodRx then used that sensitive health information to target its users with health ads on users’ social media feeds,” the FTC said.

“To generate those ads, GoodRx shared with Facebook and others information about its users’ prescription medications and sensitive health concerns — things like erectile dysfunction or treatments for sexually transmitted diseases. Worst of all, it failed to tell its users.”

GoodRX will have to pay a $1.5 million penalty and, if the judge approves the proposed settlement order, will be permanently prohibited from sharing health data with relevant third parties like Facebook that would use it for advertising.

“Convenience may come at a cost. Companies might create profiles about you and share your sensitive information with other companies. And once your information is no longer private, it’s hard (maybe impossible) to keep it out of the wrong hands,” the Commission warned.

The case of GoodRx – the company agreed to settle the case without admitting no wrongdoing – is also important because it could place widespread user-profiling and ad-targeting practices under the spotlight.

Besides, the FTC is seemingly trying out new legal approaches. This was the first time the FTC had taken enforcement action under its Health Breach Notification Rule.

The rule requires health apps and connected devices that collect or use personal health information to notify users of breaches like cyberattacks or the unauthorized sharing of their health data.

“Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.

Leaking personal health information is especially sensitive in the US nowadays, particularly in states that have banned or severely restricted abortions after the Supreme Court overturned Roe v. Wade and eliminated the constitutional right to abortion after almost 50 years.

Many activists are concerned about privacy and the potential prosecution of people choosing to have an abortion as there's a risk that data brokers might sell American’s location and health information.