In a first-of-its-kind enforcement, the Federal Trade Commission has imposed a $1.5 million penalty on telehealth and prescription drug discount provider GoodRx Holdings Inc. for sharing users' personal health data with Facebook, Google and other third parties without their consent.
California-based GoodRx also accepted that it will be prohibited going forward from sharing user health data with third parties for advertising purposes, the FTC said. The agreement is pending federal court approval.
Consumer protection advocates hailed Wednesday's announcement as a potential game-changer that could seriously curtail a little-known phenomenon: The trafficking in sensitive health data by businesses not strictly classified as health care providers.
"Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information," Samuel Levine, head of the FTC's Bureau of Consumer Protection, said in a statement. "The FTC is serving notice that it will use all of its legal authority to protect American consumers' sensitive data from misuse and illegal exploitation."
GoodRx did not immediately respond to an email seeking comment on the business impact of the enforcement action.
It is the first such enforcement under a 2009 law, the Health Breach Notification Rule, which applies to personal health record vendors and related providers not covered by HIPAA, the federal privacy rules that govern the health care industry.
The enforcement comes three years after Consumer Reports discovered that GoodRx was sharing people's personal health information with more than 20 companies. "People told us they'd never expected that their sensitive information was being shared with the likes of Google and Facebook," Marta Tellado, president and CEO of Consumer Reports, said in a statement Wednesday. "This is a win for consumers, and it could have a profound effect on how our health information is kept private moving forward."
Justin Brookman, the director of technology policy at the public-interest group, said "health apps and websites have been giving away our personal data for years without consequence. This case should be a turning point - now companies have to understand that sharing customer data without clear permission will lead to investigations and fines."
On its website, GoodRx says it has helped consumers save more than $45 billion since 2011.
The FTC said more than 55 million consumers have visited GoodRx's website or mobile apps since January 2017. It said the company collects personal and health information from its users and from pharmacies that confirm when one of its coupons has been used in a purchase.
The FTC said in a news release that GoodRx "deceptively promised its users that it would never share personal health information with advertisers or other third parties" while sharing information on their prescriptions and health conditions with third-party advertising companies and platforms including Facebook, Google and Criteo. That process helped GoodRx target personalized ads on Facebook and Instagram and other platforms, the FTC said.
Other provisions of proposed federal court order oblige GoodRx to direct third parties with whom it shared consumer health data to delete it and inform consumers.