GoodRx put user privacy at risk
If you're among the people who used GoodRx to get discounts on your medications, the prescription shopping website might've done more than what you bargained for. GoodRx sent your personal health data to tech companies like Meta and Google for advertising purposes as well as the data brokers.
FTC charged GoodRx
The FTC recently announced that GoodRx has agreed to pay a $1.5 million fine and implement various measures to ensure that the company no longer sends health data for advertising purposes. GoodRx has agreed that it will take user consent before sharing health data for other purposes, and also to get in touch with the third parties with whom it earlier shared sensitive info to delete that data.
Consumer Reports said, "to determine how GoodRx shares data, we monitored traffic using a data packet-capturing tool to observe the company's Android mobile app and website as we searched for deals on a number of prescription medications."
Several of the company’s business partners received the names of the medications, along with ID numbers and other information that can be used to single out individuals. The data can reveal intimate information that many people would keep private from all but their close friends and family.
The FTC alleged that GoodRx shared names of medications people were looking for on the application, it has been accused of sending lists to Meta, which includes identity info of users who bought certain medications, Meta used it to target users with ads.
“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information. The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation," Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement."
When did GoodRx malpractices surface?
Some of GoodRx's practices were first disclosed in February 2020 by reports from Gizmodo and Consumer Reports, which explained how user data was being sent to third parties. GoodRx apologized for it, saying the data wasn't used for targeting ads and implemented some privacy measures.
Vox said "That seemed to be the end of it, as GoodRx operates in a digital privacy gray area. Though it may collect the same data that pharmacies, doctors, and health insurance companies do, in most cases it’s not beholden to the same health privacy laws — namely, HIPAA, the Health Insurance Portability and Accountability Act. Even when HIPAA didn’t apply to GoodRx, the FTC says that the company gave users the impression that it did by putting a little “HIPAA” icon on its website."
