GoodRX sells health information to advertisers

❗Article Status Notice: This Article is a stub

This article is underdeveloped, and needs additional work to meet the wiki's Content Guidelines and be in line with our Mission Statement for comprehensive coverage of consumer protection issues. Learn more ▼

The FTC took enforcement action against GoodRx Holdings Inc. for sharing consumers' sensitive health information with advertising platforms in violation of its privacy promises and the Health Breach Notification Rule. Since at least 2017, the company shared users' personal health data—including prescription medications and health conditions—with Facebook, Google, Criteo, and other third parties despite repeatedly promising it would never do so. GoodRx agreed to pay a $1.5 million civil penalty and is prohibited from sharing user health data with applicable third parties for advertising purposes.^[1]

Note that this is not in violation of HIPAA as the service that GoodRX provides is not technically covered under HIPAA law, due to this type of service not existing at the time of the writing of HIPAA law. ^[2] Of which they falsely stated that they are covered under with the intention to mislead customers that they have a standard of privacy. ^[3]

Background

GoodRX is a free prescription drug savings program designed to take advantage of how prescriptions are managed in the U.S. pharmacy system through the use of Pharmacy Benefit Managers. ^[4]^[5]

[Incident]

Change this section's title to be descriptive of the incident.

Impartial and complete description of the events, including actions taken by the company, and the timeline of the incident coming to the public's attention.

Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.

From at least 2017 through February 2020, GoodRx shared consumers’ sensitive personal health information with third-party advertising platforms, including Facebook, Google, and Criteo. The shared data included prescription medication names, health conditions, and other intimate details that could reveal medical conditions when combined with browser information. GoodRx embedded tracking technologies—such as a Facebook JavaScript pixel—on its platform to facilitate this sharing for advertising purposes. This occurred despite the company repeatedly promising users in its privacy policy and public statements that it would never share such health data.

Consumer Reports reported the incident in March of 2020.^[6] A few days later, they stopped sending prescription data to Facebook. ^[7]

GoodRX's response

The company agreed to the settlement without admitting wrongdoing. ^[8]^[9]

Lawsuit

In November 2024, independent pharmacies filed at least three class action lawsuits against GoodRX and major pharmacy benefit managers. ^[10] The lawsuits also allege that agreements using GoodRX's software suppressed reimbursements for generic drugs and violated the Sherman Antitrust Act, of which practices amount to price fixing which harms small pharmacies while benefiting pharmacy benefit managers and their affiliates. ^[11]GoodRX also settled upon these lawsuits without admitting wrongdoing. ^[8]

Consumer response

References

[1] "FTC Enforcement Action to Bar GoodRx from Sharing Consumers' Sensitive Health Info for Advertising".

[2] "GoodRx, Health Data Brokerage, and the Limits of HIPAA".

[3] "FTC Enforcement Action Against GoodRx and BetterHelp".

[4] "Explain like I'm 5 - how does goodrx work?".

[5] "How does GoodRX work?".

[6] "GoodRx Saves Money on Meds—It Also Shares Data With Google, Facebook, and Others".

[7] "GoodRx Stops Sending Prescription Data to Facebook".

[:0-8] 8.0 ^8.1 "FTC fines GoodRx $1.5 million for sending consumer health data to Google and Facebook".

[9] "GoodRx Response to FTC Settlement".

[10] "Leeds Brown is soliciting over GoodRx litigation— proceed with caution".

[11] "GoodRx, PBMs accused of suppressing reimbursements to independent pharmacies".

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]