Additional business information
The Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug discount provider GoodRx Holdings Inc., for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.
In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect.
“Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”
California-based GoodRx operates a digital health platform that offers prescription drug discounts, telehealth visits, and other health services. The company collects personal and health information about its users, including information from users themselves and from pharmacy benefit managers confirming when a consumer purchases a medication using a GoodRx coupon. Since January 2017, more than 55 million consumers have visited or used GoodRx’s website or mobile apps.
According to the FTC’s complaint, GoodRx violated the FTC Act by sharing sensitive personal health information for years with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures as required by the Health Breach Notification Rule. Specifically, the FTC said GoodRx:
- Shared Personal Health Information with Facebook, Google, Criteo, and Others: Since at least 2017, GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third parties. GoodRx repeatedly violated this promise by sharing sensitive personal health information—including its users’ prescription medications and personal health conditions—with third party advertising companies and advertising platforms like Facebook, Google, and Criteo, and other third parties like Branch and Twilio.
- Used Personal Health Information to Target its Users with Ads: GoodRx monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health- and medication-specific advertisements on Facebook and Instagram. For example, in August 2019, GoodRx compiled lists of its users who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles. GoodRx then used that information to target these users with health-related advertisements.
- Failed to Limit Third-Party Use of Personal Health Information: GoodRx allowed third parties it shared data with to use that information for their own internal purposes, including for research and development or to improve advertising. It also falsely claimed that it complied with the Digital Advertising Alliance principles, which require companies to get consent before using health information for advertising.
- Misrepresented its HIPAA Compliance: GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law that sets forth privacy and information security protections for health data.
- Failed to Implement Policies to Protect Personal Health Information: GoodRx failed to maintain sufficient policies or procedures to protect its users’ personal health information. Until a consumer watchdog publicly revealed GoodRx’s actions in February 2020, GoodRx had no sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place.
Health Breach Notification Rule Violation
According to the FTC complaint, as a vendor of personal health records, GoodRx is subject to the Health Breach Notification Rule. GoodRx lets users keep track of their personal health information, including to save, track, and receive alerts about their prescriptions, refills, pricing, and medication purchase history.
GoodRx violated the Health Breach Notification Rule by failing to notify consumers, the FTC, and the media about the company’s unauthorized disclosure of individually identifiable health information to Facebook, Google, Criteo, Branch, and Twilio. The FTC issued a policy statement in September 2021 warning health apps and others that collect or use consumers’ health information that they must comply with the Health Breach Notification Rule. More information on compliance and reporting breaches under the Health Breach Notification Rule are available at the FTC’s Health Privacy page.
Proposed Order
In addition to the $1.5 million penalty for violating the rule, the proposed federal court order also prohibits GoodRx from engaging in the deceptive practices outlined in the complaint and requires the company to comply with the Health Breach Notification Rule. To remedy the FTC’s numerous allegations, other provisions of the proposed order against GoodRx also:
- Prohibit the sharing of health data for ads: GoodRx will be permanently prohibited from disclosing user health information with applicable third parties for advertising purposes.
- Require user consent for any other sharing: The company must obtain users’ affirmative express consent before disclosing user health information with applicable third parties for other purposes. The order requires the company to clearly and conspicuously detail the categories of health information that it will disclose to third parties and prohibits the company from using manipulative designs, known as dark patterns, to obtain users’ consent to share the information.
- Require company to seek deletion of data: The company must direct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches and the FTC’s enforcement action against the company.
- Limit Retention of Data: GoodRx will be required to limit how long it can retain personal and health information according to a data retention schedule. It also must publicly post a retention schedule, and detail the information it collects and why such data collection is necessary.
- Implement Mandated Privacy Program: It must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data.
At-a-glance
Related Categories
Business Details
This is a multi-location business.
- Location of This Business
- 2701 Olympic Blvd West Building #200, Santa Monica, CA 90404-4183
- BBB File Opened:
- 10/7/2014
- Years in Business:
- 13
- Business Started:
- 9/12/2011
- Business Incorporated:
- 11/4/2011
- Accredited Since:
- 10/31/2016
- Licensing Information:
- This business is in an industry that may require professional licensing, bonding or registration. BBB encourages you to check with the appropriate agency to be certain any requirements are currently being met.
- Type of Entity:
- Corporation
- Alternate Business Name
- flipMD Inc
- GoodRx Holdings Inc.
- GoodRx, Inc.
- Business Management
- Mr. Doug Hirsch, CEO/President
- Mr. Trevor Bezdek, Secretary/CFO
- Ms. Gracye Cheng, VP of Legal & Business Development
- Contact Information
Customer Contact
- Mr. Doug Hirsch, CEO/President
- Mr. Trevor Bezdek, Secretary/CFO
- Ms. Gracye Cheng, VP of Legal & Business Development
Customer Complaints
263 Customer Complaints
Need to file a complaint? BBB is here to help. We'll guide you through the process. How BBB Processes Complaints and Reviews
File a ComplaintMost Recent Customer Complaint
11/04/2024
- Complaint Type:
- Product Issues
- Status:
- Answered
Customer Reviews
187 Customer Reviews
What do you think? Share your review.
Most Recent Customer Review
Marissa F
1 star11/19/2024
BBB Business Profiles may not be reproduced for sales or promotional purposes.
BBB Business Profiles are provided solely to assist you in exercising your own best judgment. BBB asks third parties who publish complaints, reviews and/or responses on this website to affirm that the information provided is accurate. However, BBB does not verify the accuracy of information provided by third parties, and does not guarantee the accuracy of any information in Business Profiles.
When considering complaint information, please take into account the company's size and volume of transactions, and understand that the nature of complaints and a firm's responses to them are often more important than the number of complaints.
BBB Business Profiles generally cover a three-year reporting period. BBB Business Profiles are subject to change at any time. If you choose to do business with this business, please let the business know that you contacted BBB for a BBB Business Profile.
As a matter of policy, BBB does not endorse any product, service or business. Businesses are under no obligation to seek BBB accreditation, and some businesses are not accredited because they have not sought BBB accreditation.