Bloomberg Law
Feb. 1, 2023, 4:20 PMUpdated: Feb. 1, 2023, 6:28 PM

GoodRx Hit With First FTC Fine Under Health Privacy Rule (1)

Andrea Vittorio
Andrea Vittorio
Skye Witley
Skye Witley

Digital health platform GoodRx has agreed to pay a $1.5 million fine for sharing consumer health information with advertisers in a first-of-its-kind enforcement action from the Federal Trade Commission.

The California-based company leveraged online consumers’ sensitive information, such as data about their prescription medications and health conditions, allowing third parties to target them with related advertisements despite its privacy promises to users, according to a complaint the FTC filed Thursday in federal court.

GoodRx shared consumers’ personal health information with Meta Platforms Inc.'s Facebook and Alphabet Inc.'s Google, as well as with online advertising companies Criteo, Twilio, and Branch, the commission alleged. The agency accused GoodRx of violating federal consumer protection law and a rule overseeing unauthorized disclosures of personal health data.

Since 2017, more than 55 million consumers have visited or used GoodRx’s website or mobile apps for prescription drug discounts, telehealth visits, and other health services, the commission said. In response to the enforcement action, GoodRx said in a statement that the settlement “focuses on an old issue that was proactively addressed almost three years ago, before the FTC inquiry began.”

This marks the first time that the FTC has brought an enforcement action under its health breach notification rule since it was issued more than a decade ago. The case sends a warning to companies that use health information and technology firms that target advertising based on user data.

As part of the proposed court order sought by the FTC, GoodRx would be required to direct advertisers to delete any consumer health data that was improperly shared with them, though the order only would bind the telehealth platform.

GoodRx also would be permanently prohibited from sharing health data for ads and the company would need users’ permission for any other data-sharing. The order requires court approval.

Tracking Tool

GoodRx said the regulator’s complaint revolved around a widely used web tracking tool from Meta’s Facebook known as the Pixel. The company denied wrongdoing and disagreed with the agency’s assertion that using the tracking tool violated the health breach notification rule, adding that no medical records were shared. It also noted that its site no longer uses Meta’s Pixel tool.

“Millions of Americans use GoodRx to save on their healthcare, and we take strong measures to ensure they can trust us with their information,” the company’s statement said.

Users of its platform currently are given the ability to opt out of certain “pixels and cookies,” set privacy preferences, and request deletion of personal data, the statement said.

“We will continue to regularly review our privacy policies and procedures and strictly regulate how information flows to our partners to make sure that our users’ privacy is protected,” GoodRx said.

An FTC official declined to comment during a Wednesday media briefing on whether the agency is investigating other companies over suspected violations of the health data breach rule.

“Digital health companies and mobile apps should not cash in on consumer’s extremely sensitive and personally identifiable health information,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”

The FTC previously warned health app makers to heed its health breach notification rule, which imposes an obligation to notify consumers if their data is exposed or shared without their permission.

In the wake of the US Supreme Court’s decision overturning a federal right to abortion, the regulator also has signaled that it will monitor the use of sensitive data like location and health information, especially when companies claim that such data can’t be linked to a particular person.

The FTC’s 2021 enforcement advisory was meant to fill a gap in regulations for health apps, which aren’t covered by the Health Insurance Portability and Accountability Act, known as HIPAA. The federal law directs health-care providers and insurers to safeguard the privacy and security of personal health data.

—With assistance by Anna Edgerton

The case is US v. GoodRx Holdings Inc., N.D. Cal., No. 23-cv-00460, complaint filed 2/1/23.

(Updates throughout with GoodRx reaction starting in the fourth paragraph.)

To contact the reporters on this story: Andrea Vittorio in Washington at; Skye Witley at

To contact the editors responsible for this story: Tonia Moore at; Jay-Anne B. Casuga at

Learn more about Bloomberg Law or Log In to keep reading:

Learn About Bloomberg Law

AI-powered legal analytics, workflow tools and premium legal & business news.

Already a subscriber?

Log in to keep reading or access research tools.