The FTC is finally ready take on health data leaks. The problem is bigger than GoodRx

The Federal Trade Commission took aim at prescription drug coupon site GoodRx this week in an early attempt to crack down on the unfettered sharing of consumers’ health data for advertising. It was the first time the agency had gone after such a health data violation.

But with the vast amounts of patient information now being mined and shared online, it’ll be far from the last.

In the three years since a Consumer Reports investigation revealed that GoodRx was leaking users’ data to Facebook and Google, the world of medicine has moved online — and the use of data-gathering tools like those deployed by GoodRx has significantly expanded. Scores of new telehealth startups — and big pharmaceutical companies — are now using detailed health information to target ads for virtual care and prescription medications to potential customers. Nearly every big tech company, from Meta to Google to TikTok, has developed trackers these companies can use to follow their customers’ browsing and buying patterns online.


The fast-changing landscape makes clear that the FTC has some catching up to do. And years after it first announced its intention to regulate health data more closely, the FTC finally seems poised to shore up its efforts.

“Combined with things like the Dobbs decision and the overwhelming focus on the sensitivity of health data, especially when it’s not protected by HIPAA, I’d expect to see more of these investigations,” Ben Rossen, formerly a senior attorney within FTC’s privacy and identity protection division, told STAT. “Using software development kits and pixel tracking on sites, it’s pretty common,” he added.


A recent investigation from STAT and The Markup found that of 50 direct-to-consumer telehealth companies’ websites, 13 had at least one tracker from Meta, Google, TikTok, Bing, Snap, Twitter, LinkedIn, or Pinterest that gathered data from medical intake forms. Twenty-five sites, including those for Hims & Hers, Ro, and Thirty Madison, had trackers that told at least one big tech company when users added specific items, like prescription drugs or a treatment plan subscription..

“There’s a ton of folks that rely on third party software development kits, and they don’t necessarily know everything it’s doing, so it may not be intentional,” Rossen, who is now a special counsel on privacy and data security with Baker Botts.

As scrutiny of the use of trackers has grown, some health care companies and hospital systems have said they’ve stopped using the tools or have reviewed their use. But they are in some cases reluctant to stop using the tools altogether, given how valuable they’ve proved for the kind of targeted advertising that has helped fuel the industry’s explosive growth. Trackers let companies target ads to specific patient populations and to market to people who have previously visited their sites or put certain products in their virtual carts, often seeking treatment for conditions like migraines and mental and sexual health disorders.

But that same data often reveals specific characteristics about users’ medical conditions and buying patterns that they may not have been comfortable sharing with third-parties. In the case of GoodRx, the FTC alleged that the company used data on its customers’ health conditions and prescription medications to push medication- and disease-specific ads to them on Facebook and Instagram. In one instance, regulators said, GoodRx created lists of customers who had bought medications for heart disease and high blood pressure, and then put their phone numbers, emails, and advertising identifiers into Facebook to find their profiles and target them with ads.

GoodRx — which denied wrongdoing but agreed to pay a $1.5 million civil penalty in response to FTC’s allegations — said this week that it specifically removed a Facebook Javascript tracking pixel almost three years ago. But it insisted that the tracker was still widely used online by other companies, including hospitals. The decision to discontinue its use, and to hire a new data privacy lead, came after increased scrutiny following the Consumer Reports investigation. (A test by The Markup on January 31 found that the company was still sharing data including user name, drug dose, and quantity of medication ordered with an ad platform owned by Google.)

The three years that elapsed between the GoodRx revelations and this week’s settlement raise questions about how fast regulators can move to rein in such a rapidly expanding field. But between a presidential transition and waiting for commissioners’ confirmation, “they’ve only been at full strength for the last six months or so,” Rossen said. “It’s not crazy unusual for cases to take that long in the FTC,” he said. While he said this enforcement was “aggressive” in signaling the agency’s commitment to regulating health data use, “I’m sure it was a complicated settlement to reach.”

The type of oversight the FTC is undertaking has become all the more important as new models of health care emerge. Much of the sensitive data these companies are tracking and sharing — like internet browsing patterns or drug purchases online — isn’t governed by HIPAA, which largely restricts medical data sharing by doctors or insurance companies. To some extent, privacy advocates have urged the FTC to shoehorn consumer health companies’ data use into its existing purview — an attempt to make up for a lack of regulation by the Department of Health and Human Services, which enforces HIPAA.

The FTC’s oversight is largely limited to unfair or deceptive business practices, but it seems likely to take an expansive view of another narrow authority to regulate health data sharing: the Health Breach Notification Rule, which requires companies that have shared or exposed individually identifiable health information from health records to inform customers of that breach.

Advocates for more stringent privacy oversight have for years urged the FTC to expand its interpretation of that authority to include companies like Facebook, which collect and store users’ sensitive health data including for marketing, though others said the rule was designed specifically to protect patients whose medical records were exposed.

In issuing its GoodRx ruling, the FTC seemed to signal its intention to continue digging in on health data. The agency also issued a blog post laying out what similar companies should take away from the GoodRx settlement.

“If sensitive health data is part of your business, understand that you’ve upped the ante on ensuring its security and privacy,” the FTC warned. “Like a truck hauling flammable material on the highway, companies that collect sensitive consumer data should exercise particular caution.”

Still, the agency is limited by its staff and their ability to go after these cases, Rossen noted. A smattering of state-level laws offer consumers varying levels of recourse for privacy violations, but health data use outside HIPAA still isn’t closely regulated by any one agency.

Companies can get ahead of this new enforcement by “finding ways to demonstrate proactive efforts on privacy” before they’re slapped with a penalty, including by hiring privacy counsel and explicitly informing customers when their sensitive data is being shared with third parties,  said Cobun Zweifel-Keegan, managing director for the International Association of Privacy Professionals.

Despite criticism that the penalty was too small, any enforcement could severely impact a company’s reputation, he said —  leading customers to question its ability to protect their sensitive data.

Source: STAT