GoodRx leaked sensitive health information to Facebook and Google, FTC alleges

The Federal Trade Commission on Wednesday accused GoodRx, the prescription drug discount platform, of sharing sensitive personal information about its users’ prescriptions and health conditions with big tech companies.

GoodRx, which also runs a marketplace for telehealth services, agreed to pay a $1.5 million civil penalty for sharing users’ health data — like medication use or health conditions — with third parties including Facebook, Google, and Twilio for advertising. The settlement marks the first time the FTC has taken action under its Health Breach Notification Rule, and comes as the federal government looks to crack down on consumer companies deceptively selling and sharing health data.

GoodRx collects sensitive information from users and from pharmacy benefit managers who confirm when a customer buys a drug using a discount from GoodRx. About 55 million people have used GoodRx since 2017.


The FTC said GoodRx shared that data with Facebook to target its own customers with medication-specific ads on Facebook and Instagram, among other breaches. In 2019, the company gathered a list of users who bought specific medications like blood pressure or heart disease drugs, and shared email addresses, phone numbers, and mobile advertising IDs with Facebook so their profiles could be tagged for health-related advertisements, FTC said. Sharing sensitive health data with advertisers directly contradicts its own privacy policy, according to the FTC.

Regulators also said GoodRx let third parties it shares data with tap its user health information for other purposes, including to improve their own advertising and to conduct research and development.


Under the Health Breach Notification Rule, the FTC can penalize companies for exposing potentially individually identifiable health information without notifying the people affected.

“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”

GoodRx said in a blog post it did not agree with the allegations and admitted no wrongdoing, but that the settlement would let the company “avoid the time and expense of protracted litigation.”

It also said the issues mentioned in FTC’s complaint had been “ proactively addressed almost three years ago, before the FTC inquiry began,” including by removing a Javascript tracking pixel for sharing data with Facebook. 

Source: STAT