GoodRx broke its promise. Health app shared users' data without permission | Opinion

The Federal Trade Commission has taken its first-ever enforcement action against a company for violating the Health Breach Notification Rule, which requires companies covered by it to notify customers if their personal health information has been compromised. What’s unusual is that this wasn’t a case of a company’s database being hacked. Rather, the FTC says the company broke its promises to users about how it would use and share their personal health information.

GoodRx runs a digital health platform that allows users to compare prescription drug prices and get prescription drug coupons and, for a monthly fee, get even greater discounts and telehealth visits. Over 55 million people have used its services since 2017.

GoodRx collects personal and health information from its users and from pharmacy benefit managers confirming a consumer used one of GoodRx’s coupons to buy a medication. In its privacy policy, the company said it would rarely share information with third parties and that it would never provide advertisers with information that reveals a personal health condition.

But contrary to its promises, GoodRx incorporated third-party trackers from Facebook, Google and other companies in its websites and apps that sent information to them for marketing and other purposes. As a result, consumers who accessed a GoodRx coupon for Viagra might see an ad on their Facebook or Instagram page for an erectile dysfunction medication. Someone who used a telehealth service to get treatment for a sexually transmitted disease might get an ad for an STD testing service. The company also targeted users with its own health-related advertisements based on profiles developed in conjunction with Facebook.

More: 'We're sorry:' BlueCross BlueShield of TN sent customer information to wrong addresses

The FTC also said the company’s advertising featured a seal stating it was “HIPAA Secure: Patient Data Protected,” even though it is not a covered entity under the Health Insurance Portability and Accountability Act and it never complied with HIPAA requirements.

Samuel Levine, director of the FTC’S Bureau of Consumer Protection, said, “Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information. The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive information from misuse and illegal exploitation.”

GoodRx is not the only company the FTC has focused on for allegedly misusing users’ information. BetterHelp, an online counseling service that operates an app, settled charges that it shared over 7 million consumers’ sensitive data with Facebook, Snapchat and other third parties for advertising despite promising to keep the information private.

The FTC recommends other companies learn these lessons from the GoodRx case:

∎ Tell the truth about how you intend to use customers’ health data.

∎ If sensitive health data is part of your business, understand that you’ve upped the ante on ensuring its security and privacy.

∎ Set contractual boundaries on how third parties use information obtained from your company.

∎ Monitor the data flow to all third parties your site or app may be connected to.

If you want to protect your privacy online, consider opting out of targeted ads, if possible. Check if you can customize your privacy settings and find out if you have the right to tell the company to delete your data.

Randy Hutchinson is the president of the Better Business Bureau of the Mid-South. Reach the BBB at 800-222-8754.

This article originally appeared on Knoxville News Sentinel: Opinion: Why FTC is going after GoodRx for targeting your medication