Export Compliance Daily is a Warren News publication.
'Shared and Sold' Data

GoodRx's Claims of HIPPA Privacy Rule Compliance Are 'False': Complaint

GoodRx’s representations that it restricts third parties’ use of customers’ personal identifiable information and it complies with Health Insurance Portability and Accountability Act (HIPPA) privacy rules are false, alleged a Friday class action (docket 3:23-cv-00744) in U.S. District Court for Northern California in San Francisco.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

The telemedicine platform, along with defendants Criteo, Meta and Google, “shared and sold” millions of users’ personal health information, without their consent, “to the most notorious and high profile data collectors and advertisers” for unlawful and unauthorized purposes, said the complaint. The defendants violated the Electronic Communications Privacy Act and California’s Confidentiality of Medical Information Act, Invasion of Privacy Act, Consumer Legal Remedies Act and Unfair Competition Law, plus plaintiffs’ and class members’ rights to privacy, the complaint alleged.

Illinois plaintiff “John Doe” used GoodRx to secure discounts on prescription medications 2016-2021. He disclosed to the company personally identifiable information, prescription medication information and personal health conditions, but he never gave consent for it to be shared with third parties, the complaint said.

Marketing information on GoodRx.com from 2020 said the company gathers current prices and discounts to help customers find the lowest cost pharmacy for their prescriptions with “no personal information required,” the complaint said. The company also “falsely promised in a September 2017 privacy policy that it “does not sell your personal medical data.” The policy said GoodRx’s HeyDoctor collected and shared user information with third-party providers “for the limited purpose of providing access to its services,” and it cited the company's contractual and technical protections to limit third-party use of information.

GoodRx represented through the HIPPA emblem displayed on its website that it complied with requirements for protecting information; it also represented that it follows the Digital Advertising Alliance “Sensitive Data Principle” about not using records without consent, the complaint said. But GoodRx integrated third-party tracking tools from Criteo, Google and Meta in its website and mobile app to permit the other defendants to intercept communications between the plaintiff and the GoodRx website, it said.

Intercepted information included class members’ drugs searched; health condition related to medication, plus dosage, quantity and form; the pharmacy name; and IP and location information, the complaint alleged. GoodRx used their information to create and send targeted ads while they were online, it said. The company also used information obtained through its relationships with pharmacy benefit managers to create custom audiences by uploading the emails, phone numbers and mobile advertising IDs of users, the complaint said. That allowed the company to target ads to people who used specific medications -- or were perceived to be candidates for its telehealth services, it said.

The plaintiff and class seek declaratory, injunctive and other equitable relief, including restitution and disgorgement. They also seek nominal, statutory, actual, compensatory, consequential, incidental and enhanced damages, plus reasonable attorneys’ fees and expenses.