GoodRx Tells Customers It Shared Their Private Information, After FTC Action

information with third parties, including Facebook,” said the prescription discount drug firm. In some cases, GoodRx used the information to target customers with health ads, it said. “The Federal Trade Commission alleges we broke the law by sharing your health information without your permission,” it said, and to resolve the case, GoodRx agreed to an FTC order that it would tell third parties like Facebook to delete information it received from GoodRx, never share customers’ health information with third parties for advertising purposes, or without their permission, and put in place a comprehensive privacy program. The program will have “heightened procedures and controls” to protect personal and health information, and an auditor will review the program every two years for 20 years, it said. The FTC last month ordered GoodRx to pay a $1.5 million civil penalty for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google and other companies in violation of its health breach notification rule. A class action filed last week in U.S. District Court for Northern California in San Francisco alleges GoodRx’s representations that it complies with Health Insurance Portability and Accountability Act privacy rules and follows the Digital Advertising Alliance “Sensitive Data Principle” are false (see Ref:2302220043).