Technology

GoodRx illegally shared health data with tech giants to target ads, government alleges 

Telemedicine company GoodRx allegedly shared sensitive personal health information with Google, Facebook and other firms to target ads to users, according to a complaint filed by federal regulators on Wednesday. 

The Federal Trade Commission (FTC) alleged that GoodRx, a company that lets users compare drug prices and receive coupons, shared sensitive information about users’ prescriptions and health conditions with advertising platforms that allowed them to target ads to users about specific health conditions and medications, despite claims that the company would not do so.

The order, filed by the Department of Justice on behalf of the FTC, seeks to ban GoodRx from sharing health data with advertisers. It would also require the company to direct third parties, such as Google and Facebook, to delete the data that was previously shared with them.

In addition to the proposed actions, GoodRx agreed to pay a $1.5 million penalty, according to the FTC. 

The order is subject to approval from a federal court. 


It is the first enforcement action the FTC has taken under its Health Breach Notification Rule, which requires vendors of personal health records and related entities to notify consumers and the FTC when that data is disclosed or acquired without the consumers’ authorization. 

Under Chair Lina Khan, the commission voted along party lines in September 2021 to clarify the rule to extend to digital health tools, such as apps and connected devices.

An FTC official said that if companies weren’t paying attention to the rule before, they will now. The official said the order filed against GoodRx will be a sign for the industry that the agency is not taking the issue lightly. 

The regulators alleged that GoodRx shared data with companies such as Google, Facebook, Criteo, Branch and Twilio in violation of the rule. 

For example, the agency alleges the prescription discount company compiled lists in August 2019 of users who purchased specific heart disease and blood pressure medication, uploaded their contact information — including email addresses, phone numbers and mobile advertising IDs — to Facebook in order to identify their profiles.

The platform then used that information to target those users with health-related ads, according to the complaint. 

GoodRX in a statement said it does not agree with the FTC’s allegations and does not admit to wrongdoing as part of the agreement. 

“Entering into the settlement allows us to avoid the time and expense of protracted litigation. We believe that the requirements detailed in the settlement will have no material impact on our business or on our current or future operations,” the company said. 

In a statement Criteo denied receiving or using personally identifiable information to target ads. 

“Consistent with our policies and practices in place with our clients, we can confirm that in connection with our digital advertising services with GoodRx, Criteo never received any personally identifiable information, such as name or email address, or prescription and medical information, such as a user looking at a particular prescription. Additionally, we never served any ads based on sensitive health information, such as prescription medication, and never served any ads with prescription medication,” Criteo said. 

The FTC official said the order will have a significant impact on the marketplace by making it clear that companies will face consequences if they abuse consumer health data. 

Agency officials declined to comment on other potential cases or companies that they are investigating over violations of the rule. 

Updated Feb. 3 at 10:43 a.m.