FTC bars GoodRx from sharing consumers’ sensitive health info for advertising

$1.5 million? What a joke. That&#x27;s a tax, not a penalty.<p>I don&#x27;t think many are surprised that GoodRX was sharing data (violating its own privacy policy) but come on, have some teeth. You&#x27;d think with HIPPA that we&#x27;d treat anything medical more seriously.

I want FTC to put fear of god in bad actors like GoodRx. $1.5 million is pocket change for a company with $765 million annual revenue. They&#x27;ve spent $400k just on lobbying. This isn&#x27;t gonna change anything.

I&#x27;ve been suspicious of FSA accounts that want all the itemized receipts when you submit a reimbursement claim. Somehow they&#x27;ve become the validators for the spend you make rather than just the money shuffling body they used to be in years past.<p>I never understood how this came to be, but I later became suspect when receipts and other bits of the paper trail had to first pass through their hands rather than the previous arrangement where you were responsible for keeping those records on hand should you ever be audited by the IRS. They changed the UI pattern for reimbursement to force receipt uploads, and non itemized receipts got rejected. I wonder if they too use this information for like purposes as GoodRx.

&gt; GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA),<p>$900m in funding[0] and their business practices are straight out of a fly-by-night MLM brand.<p>[0] <a href="https:&#x2F;&#x2F;www.crunchbase.com&#x2F;organization&#x2F;goodrx" rel="nofollow">https:&#x2F;&#x2F;www.crunchbase.com&#x2F;organization&#x2F;goodrx</a>

A site like GoodRx should be run as a non profit that’s completely independent from advertisers. Once they start to rely on advertisers they will go down the same corrupt path like most other players in US health care.

Doesn&#x27;t allow data sharing from GoodRX to FB, Google etc. But does allow Amazon to purchase One Medical. I feel like both are pretty bad. But I am trying to understand the logic between allowing one and not the other? Am I missing something?<p>Also $1.5 million, in relative terms, seems pretty small. So again, data violations just seem to be the cost of doing business.

Unsure why there aren&#x27;t percentage based fines in the US. Strong lobbying preventing legislation with teeth from passing?<p>We know they&#x27;re a publicly traded company, we know their revenue, profit, etc. -- why not fine them a percent based on this data? It&#x27;s a little more tricky with private companies, but a certification process, and a undisclosed fine in those cases work too.

Does this preclude their users from suing them for violating the privacy policy (and other laws)?

Can someone explain to me how big of a deal this &quot;first of a kind&quot; collaboration between the DOJ and FTC actually is? Who set the penalty here? Is the door still open to further criminal investigation? What does this mean for a potential class action?<p>The biggest takeaway here seems to be the ban on sharing data, not on the fine itself. I interpret that to mean sharing the data for advertising purposes <i>is</i> legal, maybe with consent from the customer? But now GoodRx can&#x27;t do that?

&quot;&quot;&quot;GoodRx created Custom Events with names like “Drug Name” and “Drug Category” that tracked and shared the prescription medication name and health condition(s) associated with each unique GoodRx Coupon that users accessed. As a result, at times, when GoodRx shared a Custom Event, it was sharing its users’ health information.&quot;&quot;&quot;<p>Seems kinda dumb! I for one would probably not have written that code.

Let me tell you, having saved $thousands from GoodRx’s exposure of pharma’s underbelly, and the actual first-time competition that it fosters, I can forgive them for this underhand revenue stream.<p>Just yesterday $60.25, Walgreen’s, returned —&gt; $7.20, Safeway, GoodRx e-coupon.<p>My wife is finally a believer, and it paid for more than half of a $100 birthday gift for a poor cousin 1500mi away.

Absolutely right call. How can any company officer actually believe this was an acceptable business practice. Being in that business they must have heard of HIPAA and regulation around PHI. What would keep hospitals from selling patient info?