GoodRx, a telemedicine platform, allegedly failed to keep client privacy and has settled to pay $1.5 million to the Federal Trade Commission (FTC).
With the pandemic, many new concepts arrived in our society, including telemedicine. These platforms allow patients to receive health-related services in the comfort of their homes, with the advancement of technology. It can connect you to physicians virtually, receive prescriptions, and get a myriad of remote help. GoodRx was one of them, and their goal was to connect patients with virtual medicine.
The FTC complaint revealed that GoodRx broke the Health Breach Notification Rule by sharing private client information with various platforms, such as Facebook and Google, without warning. The telemedicine platform also sold specific prescription medication data, along with the private health backgrounds of its clients.
"Digital health companies and mobile apps should not cash in on consumer’s susceptible and personally identifiable health information," said Samuel Levine, director of the FTC’s Bureau of Consumer Protection.
GoodRx’s act was first discovered by Consumer Reports, which found that in 2020, they were lowering prescription costs by auctioning off customer information. When Consumer Reports published the article, GoodRx agreed to stop giving out information and generated a method for their clients to remove dispersed private information.
"For example, in August 2019, GoodRx compiled lists of its users who had purchased particular medications such as those used to treat heart disease and blood pressure and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles,” continued FTC. “GoodRx then used that information to target these users with health-related advertisements."
The FTC also said GoodRx did not comply with the Health Insurance Portability and Accountability Act (HIPAA), although they put the HIPAA seal on the bottom of its website despite its alleged health-data breach. GoodRx then provided its statement, contradicting the FTC ruling and acknowledging no mistakes. The telemedicine platform said they only agreed to pay the fee to "avoid the time and expense of protracted litigation."
"At GoodRx, protecting our users’ privacy is one of our most important priorities. We are thoughtful and disciplined about what information we gather and how and why we use it," continued GoodRx in a statement.
The telemedicine giant also expressed they had already addressed the issue with FTC around three years ago, and that advertising tracking pixels is a normal technology. They also denied sharing any medical records with platforms, and that they are a "leader on data privacy."