Lawsuit Alleges GoodRx Unlawfully Shared Health DataLitigation Also Names Meta, Google, Criteo in Use of Tracking Code Tech
Telehealth and discount prescription drug provider GoodRx faces a proposed class action lawsuit over its data-sharing practices with third parties just days after it settled a federal investigation into those practices.
A lawsuit filed against GoodRx on Thursday in a San Francisco federal court also names three of the company's third-party technology and advertising vendors as co-defendants: Facebook parent Meta, Google and Criteo.
The proposed class action alleges GoodRx committed a common law privacy tort since its users had a reasonable expectation of privacy. The company asserted it did not disclose or share the information it collected from users. But tracking code from Meta, Google, and Criteo embedded on GoodRx's platforms "knowingly and intentionally intercepted" user personal data and disclosed information including health information relating to their medical conditions, symptoms, and prescriptions to those third parties, the suit alleges.
The proposed class action lawsuit against GoodRx is the latest development in growing controversy involving the use of tracking codes on health-related websites to share data with third parties.
The FTC announced Wednesday a $1.5 million civil penalty against GoodRx, saying the company for years shared sensitive personal health information with third-party companies contrary to its privacy promises (see: FTC Hits Firm with $1.5 Million Fine in Health Data Sharing Case).
The company agreed not to engage in deceptive practices such as disclosing user health data to third parties for advertising purposes and a number of other activities.
The FTC enlisted the Department of Justice to file a complaint and a proposed order in the U.S. District Court for the Northern District of California. The order is subject to approval by a federal judge.
Besides the civil litigation filed last week, Meta is also a defendant in several cases involving the use of the company's Pixel tracking code on healthcare-related websites (see: Federal Judge Skeptical of Facebook in Patient Privacy Suit).
Meta did not immediately respond to Information Security Media Group's request for comment on being named a defendant in the GoodRx lawsuit.
Google supplied a statement to ISMG asserting that it "prohibits personalized advertising based on sensitive data like health conditions or prescription medications. We also have strict policies that advertisers and developers must comply with regarding personally identifiable information being shared with us."
Even when a pixel is used for advertising purposes, it may have nothing to do with ad personalization, the online advertising giant also said.
"It might be used to prevent the same ads from being shown to users too many times, for ads measurement, or to prevent fraud. We understand that something like a user's prescriptions are inherently private, so we don't allow personalized advertising based on them."
Neither GoodRx nor Criteo immediately responded to ISMG's requests for comment on the Jane Doe lawsuit.
Other agencies besides the FTC have telegraphed their intention to scrutinize online behavior trackers. The Department of Health and Human Services' Office for Civil Rights in December in a bulletin warned that entities covered by HIPAA cannot use the trackers if the trackers transmit protected health information without patient consent or if the entities don't have a signed business associate agreement with the technology tracking vendors.
In recent months, at least four healthcare entities reported major health data breaches to HHS OCR involving their previous use of tracking code from companies including Meta and Google (see: Clinic Reports Tracking Pixel Breach Involving 3rd Party).
"Healthcare organizations that are within HIPAA need to understand and think about the granular digital health data they collect and use, especially when providing their healthcare services with the assistance of third parties," says Lucia Savage, chief privacy and regulatory officer at Omada Health.
"We know those third parties have to be HIPAA business associates, and that status limits how the third parties can use the data," says Savage, who is the former privacy officer at the HHS' Office of the National Coordinator for Health.
"Even as early as 2000, the HIPAA privacy rule concluded that an IP address could be PHI," she says.