Update February 22, 2023 – The Department of Justice (DOJ) and the Federal Trade Commission (FTC) announced that the settlement was finalized. “Pursuant to a settlement by the parties, a consent order was entered last Friday by the U.S. District Court for the Northern District of California.”
First came the announcement of a pending $1.5 million settlement with the Federal Trade Commission (FTC) for allegedly violating FTC’s Health Breach Notification Rule. The next day GoodRx was sued in federal district court in San Francisco for alleged privacy violations. The federal lawsuit is a proposed class action, intended to represent the millions of individuals whose private information was sold to Meta (Facebook), Google and Criteo.
GoodRx offers consumers money-saving tips and coupons on prescription drugs. To access prescription discounts, a user enters the medication name and then selects a local pharmacy. When the prescription is purchased using a GoodRx coupon, GoodRx obtains a record of this purchase that includes the user’s name, date of birth, and prescription information.
The FTC Settlement
The FTC claimed that GoodRx shared users’ personal health information with advertisers without consent. The information included details about users’ drug and health conditions and the prescription medications they ordered. According to the complaint it also used tracking tools to share personal information like phone numbers and email addresses.
GoodRx says it disagrees with the FTC, and is settling the investigation “to avoid the time and expense of protracted litigation.” In a statement the company also explained that it stopped using the tracking pixel almost three years ago, before the FTC contacted it about its practices.
Consumer Reports is credited with uncovering the health data leaks in an article published in February, 2020, and it appears that article may have been the reason GoodRx stopped using the tracking pixel.
HIPAA Does Not Cover all Health Apps
GoodRx is neither a covered entity nor a business associate so HIPAA does not apply. But the FTC has filled the gap to protect health information with its own Health Breach Notification Rule.
The FTC enforces federal consumer protection laws that prevent fraud, deception and unfair business practices in all sectors, while the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) enforces HIPAA in healthcare.
According to the FTC:
“health apps, which can track everything from glucose levels for those with diabetes to heart health to fertility to sleep, increasingly collect sensitive and personal data from consumers. These apps have a responsibility to ensure they secure the data they collect, which includes preventing unauthorized access to such information.”
Noting that these companies are not covered by HIPAA, the FTC published the Health Breach Notification Rule and warned the health apps and connected device companies that it would enforce privacy breaches not covered by HIPAA.
However, a health app operated by a covered entity or business associate is covered by HIPAA. Health providers sometimes add app extensions to their web sites, and these come under the covered entity’s HIPAA responsibilities. The Office for Civil Rights (OCR) recently published guidance about the use of pixel tracking technology by covered entities and business associates, warning that failure to comply with HIPAA could result in a civil money penalty.
Jane Doe vs GoodRx Holdings, Inc.
The class action lawsuit alleges GoodRx committed a common law privacy tort because its users had a reasonable expectation of privacy. Even though GoodRx asserts it did not disclose or share the information it collected from users, it had pixel tracking code from Meta, Google, and Criteo embedded on its platforms, so the lawsuit claims GoodRx “knowingly and intentionally intercepted” user personal data and disclosed information including health information relating to their medical conditions, symptoms, and prescriptions to those third parties. Meta, Google and Criteo are all named as co-defendants in the lawsuit.
The total number of people affected by the pixel tracker is not known, but the complaint points out that 20 million people use GoodRx’s services each month.
Health Privacy is Sacrosanct
Companies not covered by HIPAA should be on notice that consumers’ health privacy will be protected. Learn more about the FTC Breach Notification Rule if you handle private health information.
Covered entities and business associates should follow HIPAA, and this includes not allowing a third party pixel tracker to access protected health information. Don’t take the vendor’s word for it, learn more by reading OCR’s guidance about online tracking technologies.