In a “first-of-its-kind” action with broad implications for the telehealth industry, the Federal Trade Commission on Wednesday sought a court order to prevent GoodRx, a popular website that provides discounts on prescription drugs, from sharing users’ sensitive health data for advertising purposes.

The FTC alleges that GoodRx, which allows shoppers to compare drug prices and access discounts, promised never to share health data with advertisers but nonetheless sent details about customers’ medications and medical conditions to Facebook, Google, and other companies via invisible digital trackers installed on its website. Consumer Reports first uncovered the data breaches in 2020.

The type of tracking GoodRx employed—using third-party tools like pixels, cookies, and tags to target users later with advertisements—has become commonplace in online medicine. In December, a joint Markup-STAT investigation found that 49 out of 50 direct-to-consumer medication websites analyzed had been sharing patients’ sensitive health information with advertising platforms, including their answers to medical screening questions and the names and dosages of medications they purchased. In June, The Markup reported that a third of the nation’s top 100 hospitals were sending Facebook the details of doctor’s appointments booked through their websites.

“Digital health companies and mobile apps should not cash in on consumer’s extremely sensitive and personally identifiable health information,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, stated in a press release. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”

The FTC’s order must still be approved by the U.S. District Court for the Northern District of California. However, GoodRx has already agreed to the terms while admitting no wrongdoing 

This is the first time the agency has sought to permanently ban a company from sharing customers’ health data with third parties for advertising purposes. In previous enforcement actions, the FTC has instead taken a more reserved approach, requiring companies to reform their practices and meet the clear and informed consent standard. In other words, the companies could continue to share customers’ data with third parties so long as they accurately and prominently explain the data sharing and obtain customers’ permission.

It’s also the first time the FTC has sought to sanction a company under its Health Breach Notification Rule, which requires organizations to notify consumers when their digital health information has been improperly exposed. As part of its settlement, GoodRx agreed to a $1.5 million fine under the rule.

The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.

Samuel Levine, director, FTC Bureau of Consumer Protection

The agency’s GoodRx order and earlier warnings suggest it intends to dust off the 13-year-old rule to crack down on the growing number of online companies that collect and share customers’ medical information but are not covered by the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA’s privacy rules, which are enforced by the Department of Health and Human Services (HHS), only cover certain entities, such as those that directly provide medical care or bill insurance. As The Markup recently reported, many telehealth companies avoid HIPAA by not accepting insurance and structuring their corporations as middlemen that connect patients with providers employed by separate entities.

From at least October 2017 through March 2019, GoodRx’s privacy policy stated that the company would “never provide advertisers … any information that reveals a personal health condition or personal health information,” according to the FTC’s complaint. The company’s HeyDoctor webpage, which is now called GoodRx Care, at one point also displayed a seal falsely suggesting that it complied with HIPAA.

But in one example from an August 2019 advertising campaign, the FTC alleges that GoodRx uploaded a list of its customers to Facebook that included their emails, phone numbers, and the names of medications they’d purchased. It then targeted those customers with health-related ads.

And at several points between 2017 and 2019, GoodRx allegedly manually reconfigured a tracker from Facebook on its website to ensure it would collect similar personal health information, according to the FTC complaint.

“We do not agree with the FTC’s allegations and we admit no wrongdoing,” GoodRx wrote in a press release following the FTC’s filing. “Entering into the settlement allows us to avoid the time and expense of protracted litigation. We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations.”

On Jan. 31, the day before the FTC filed its proposed order against GoodRx, a Markup test of GoodRx’s website found that it was still sending health data to a Google-owned advertising platform, including the name and dosage of medication we searched for. GoodRx also shared that we sought “Online Gender-Affirming Care with a trans-specialist provider.”

Credit:goodrx.com

As of the same day, GoodRx’s privacy policy stated that the company may use “cookies, tags, pixels, SDKs, and similar technologies” to help Facebook, Google, and others track users and target them with ads. 

“Once the order has been approved by the judge, GoodRx will be required to abide by the provisions of the order,” FTC spokesperson Juliana Gruenwald Henderson wrote in an email when The Markup asked the agency about the continued data sharing.

The FTC’s more aggressive approach in the GoodRx case adds to mounting pressure on health websites and providers to control their use of trackers from Facebook, Google, and other advertising platforms.

In December 2022, the HHS’s Office for Civil Rights issued a bulletin, citing The Markup’s coverage and stating explicitly that entities covered by HIPAA are prohibited from sharing health data such as sensitive urls, search terms, and button clicks with third parties via advertising trackers.

The North Carolina Attorney General’s Office opened an investigation into Facebook-related data breaches at hospitals in that state following The Markup’s earlier investigation. And across the country, patients have filed class action lawsuits against their hospitals and Facebook over the breaches.

Simon Fondrie-Teitler contributed to this story.