Case Study
GoodRx Gets a Prescription After Selling Consumers' Health Data
GoodRx is a digital health platform that offers healthcare resources and discounted prescription drugs. The company collects sensitive personal health information about its users, including the types of medications purchased using a GoodRx coupon. The FTC brought an enforcement action against GoodRx, alleging the company violated its own privacy policies by selling consumers’ personal health information to Facebook, Google, Criteo, and other companies for advertising purposes. Additionally, as a vendor of personal health records, GoodRx violated the Health Breach Notification Rule, which requires companies to notify consumers, the FTC, and the media about the unauthorized disclosure of sensitive personal health information. The FTC’s proposed order requires GoodRx to strengthen its privacy protocols, such as through deleting and limiting the retention of data, and permanently prohibits the company from sharing consumers’ health data with advertisers.