GoodRx – a mobile app that saves US consumers money on prescription drugs – has apologized and sworn to do better after a Consumer Reports investigation found that it was sharing people’s data with 20 other internet-based companies.
Consumer Reports had discovered that GoodRx was sharing the names of medications that people were using the app to research, including those of a highly sensitive, personal nature. For example, the consumer-focused nonprofit found it could use the app to look for discounts on Lexapro, an antidepressant; PrEP and Edurant, used to prevent and treat HIV, respectively; Cialis, for erectile dysfunction; Clomid, a medication used in fertility treatments; and Seroquel, an antipsychotic often prescribed to control schizophrenia and bipolar disorder.
The details GoodRx was sharing could lead to companies being able to infer “highly intimate details” about users, Consumer Reports said:
With the information coming off our test phone and browser, a company could infer highly intimate details about GoodRx users suffering from serious chronic conditions, and make educated guesses about their sexual orientation.
Consumer Reports found that some of the firms that GoodRx used for marketing automation and customer engagement were receiving the names of people’s drugs, the pharmacies where users tried to fill prescriptions, and ID numbers that advertising and analytics companies use to track the behavior of specific consumers across the web.
Several companies that Consumer Reports talked to said that they don’t share data broadly with data brokers or advertising companies. Rather, they only use the data to help GoodRx target its own users with information.
Thomas Goetz, chief of research at GoodRx:
To reach new customers who might find GoodRx useful, we place advertisements for GoodRx on third-party platforms, including Facebook and Google, and retarget users who have visited GoodRx to encourage them to come back and use the service.
How is this legal under HIPAA?
Still, Google, Facebook and the other third-parties all receive the names of meds people are researching, along with other details that could let them pinpoint whose phone or laptop is being used. How is it that the country’s health privacy law – the Health Insurance Portability and Accountability Act (HIPAA) – doesn’t make it illegal to share this health data?
HIPAA requires medical professionals to keep patients’ information private and secure. In the US, we’re all likely familiar with the law: you can’t ride an elevator in a hospital without seeing reminders about patient confidentiality plastered on its walls, and we all have to read documents describing HIPAA when we visit a new doctor’s office.
But you can’t blame the doctors for this one. Many of them bring up GoodRx as a way to help patients save money on spiraling medication costs. Some of the healthcare providers Consumer Reports spoke with weren’t even aware that this data gets shared.
Dr. Erin T. Bird, a urologist in Temple, Texas, told Consumer Reports that he often brings up GoodRx to patients, particularly when he’s dealing with erectile dysfunction, urinary incontinence, and cancer – conditions that call for expensive medications.
It’s a conversation that occurs with pretty much every prescription.
Dr. Bird was surprised to learn that the GoodRx app and website was sharing his patients’ prescription information:
I think that most physicians would think that within the space of healthcare, there are some consumer protections. I would have assumed that.
He would have been wrong to assume that.
Consumer Reports spoke with Deven McGraw, chief regulatory officer at consumer health tech company Ciitizen and former deputy director of health information privacy at the US Department of Health & Human Services’ Office of Civil Rights, who said that people tend to have misconceptions about how far HIPAA goes to protect our health data:
If people think that HIPAA protects health data, then they probably believe that any health data in any context is going to be protected. That’s just not the case.
Consumer Reports delineated some of the use cases where your health data can wander freely online, outside of the protections of HIPAA, with “no more protection than your Instagram likes”:
HIPAA doesn’t apply to GoodRx or many other “direct-to-consumer” websites and apps that provide health and pharmaceutical information. It doesn’t apply to heart-rate data generated by a sports watch or Fitbit, information you enter into period-tracking apps, or running data held by running and cycling apps such as Strava. As far as the law is concerned, such information has no more protection than your Instagram likes.
On Friday, GoodRx said in a blog post that it has “never and will never sell our users’ personal health information.” Having said that, the Consumer Reports story led the company to re-examine its policies when it comes to sharing data with third parties. The review led GoodRx to determine that at least in the case of Facebook advertising, it was “not living up to our own standards.”
For this we are truly sorry, and we will do better.
GoodRx explained how it shares data with specific third parties, including, for example, how it uses Google Analytics to evaluate and improve the quality of the information it provides across its website, including its drug coupon pages.
The company listed a host of changes it’s initiating in order to better protect consumer privacy:
- Protecting data shared with Facebook: It will henceforth never share drug names, conditions or other personal medical information with Facebook, even in encrypted form.
- Protecting data shared with Google: GoodRx says it already de-identifies personal information shared with Google. It’s audited that data to ensure that any sharing is encrypted and meets Google’s strict privacy standards. “In other words, we sever any individual’s user information from web usage data,” it says.
- Protecting data shared with other third parties: The company has audited agreements with third-party service providers that have any contact with its users’ personal health information, and ensured that all providers operate at the highest standards of data privacy, including HIPAA standards wherever appropriate.
- Nationwide Rollout of California Privacy Protections: GoodRx is rolling out data privacy protections required for Californians by the new California Consumer Protection Act (CCPA) to all users, regardless of their location. That includes the ability to opt-out from cookies and tracking, as well as the ability to delete their data (which you can do here).
- Appointed new VP of Data Privacy: The new data privacy exec will oversee GoodRx’s data privacy efforts and coordinate between engineering, marketing, and other teams “to ensure we only share what’s necessary and always act in our users’ best interests.”
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.