GoodRx Holdings illegally shared patient data to advertise on Facebook and Google, the Federal Trade Commission said Feb. 1, and the Justice Department filed a first-of-its-kind proposed order totaling $1.5 million against the prescription savings provider.
For the first time, the FTC is using its Health Breach Notification Rule against GoodRx for "failing to notify consumers and others of its unauthorized disclosures of consumers' personal health information" for years, the FTC said.
If a federal court approves, GoodRx will pay the $1.5 million civil penalty — which it has already agreed to — and will be banned from "sharing user health data with applicable third parties for advertising purposes," according to the FTC.
In a statement, GoodRx said the settlement is "an old issue that was proactively addressed almost three years ago, before the FTC inquiry began." The company said it admits no wrongdoing.
The FTC outlined five breaches committed by GoodRx:
1. Shared personal health information with Facebook, Google, Criteo and others
2. Used personal health information to target its users with ads
3. Failed to limit third-party use of personal health information
4. Misrepresented its HIPAA compliance
5. Failed to implement policies to protect personal health information
Criteo told Becker's, "Our polices and business practices prevented us from receiving or using the level of detailed information that other advertising providers received and use."