- Feb 2023
-
-
Concurring Statement of Commissioner Christine S. Wilson
This document is the discussion of one FTC commissioner on the GoodRX FTC compliant and proposed order.
-
-
www.goodrx.com www.goodrx.com
-
we admit no wrongdoing
Which means that as far as patient privacy is concerned, GoodRX has no integrity and its reputation is deservedly destroyed.
This is a "lawyer" response.
It will not keep GoodRX from being sued. It will not reduce the liability. But saying this, is an absolute indication that this is a classic non-apology and failure to take responsibility.
To classify this as no-wrongdoing is intellectually dishonest. Especially when GoodRX itself previously categorized this mistake as "not living up to our own standards". Note that this link is to a blog post that GoodRX has since taken down. Not a good look to declare now that you did nothing wrong, when you previously admitted that you had done something wrong, and then you took down that blog post. The url for that blog post now forwards to GoodRX privacy policies (i.e. the privacy policies that they failed to honor, which is what got them in hot water with the FTC)
Again, quoting from that now-deleted blog post: "For this we are truly sorry, and we will do better. "
So this letter on the privacy problems is a redaction of the previous position which was "Yeah we were sharing data with Facebook.. we should not have been.. we will stop doing that, and we are sorry".
GoodRX could have chosen to notify all of its users of this problem at that time, but chose not do so, putting it in violation of the FTC breach notification rule.
So no matter how you cut it, this is an example of wrong-doing, GoodRX did mess up, and they have never taken full responsibility for their mistakes. Indeed what little responsibility they have taken, this article largely unwinds.
GoodRX does a valuable and critical service for patients. I will continue to recommend it to patients. But I will state, clearly, that GoodRX will sell patient data in unethical ways, and that this is the decision that patients need to make as the decide whether to have discounted medications or privacy.
GoodRX current position is that patients must choose one or the other. Privacy or affordable medication. Not both.
-ft
-
protecting our users’ privacy is one of our most important priorities
If this were true. This article would not be necessary.
I think its fair to say that privacy is a "priority" for GoodRX. But not "one of our most important".
The fact that this non-apology letter exists indicates that your legal liability concerns and investor relations issues are far more important than patient privacy.
If patient privacy were "one of our most important" priorities at GoodRX then this document would be a readout of a post-mortem on the mistakes made and the steps taken to address those mistakes.
The FTC compliant specifically states:
GoodRx also did not have any employee, manager, executive, or team formally dedicated to the management or oversight of GoodRx’s company-wide privacy and data sharing practices
GoodRX now has full-time privacy executives. But at the time, patient privacy was not so important that they could have someone attached to it. Not sure what "top priority" means, but this does not sound like it.
-
confidentiality provisions in place
This is not true.
They shared data with Facebook and Facebooks "confidentiality provisions" say "This is ours now and we will make this public". And they did in fact share the information. Which is how the watchdog found out about it.
Specifically, the FTC stated in its compliant:
...GoodRx has taken no action to limit how Advertising Platforms like Facebook, Google, and Criteo, and other third parties like Branch and Twilio, could use the personal health information it shared with them. Rather, GoodRx agreed to each of these third parties’ standard terms of service, or entered into agreements that permitted each Advertising Platform to use GoodRx users’ personal health information expansively, including for other advertising or for their own internal business purposes
-
primarily IP addresses and web page URL information related to looking at content
The FTC compliant contradicts this saying:
This included the name of the medication for which users accessed a GoodRx Coupon (“Drug Name,” such as “Lipitor”); the website URL, which in many cases included a medication name; the health condition related to the medication (“Drug Category,” such as “high cholesterol”); the medication quantity (“Drug Quantity,” such as “30-day supply”); the pharmacy name (“PharmName”); and the user’s city, state and zip code. The pixel also collected website microdata with additional information about the prescription medication and health condition(s) for which users accessed GoodRx Coupons. Finally, the pixel collected users’ IP addresses. In May 2019, GoodRx configured the pixel to automatically share with Facebook additional personal information, including user first and last name; email address; phone number; city, state, and zip code; and gender
-
We are thoughtful and disciplined about what information we gather and how and why we use it.
Just to be clear.
GoodRx took information from its customers. Promised that it would not share information with third parties, and then shared it with Facebook anyway.
The FTC Compliant summarizes the matter like this:
GoodRx’s privacy policy representations described above were false and deceptive. In fact, since 2017, GoodRx has shared its users’ personal and health information with Advertising Platforms and other third parties in violation of its promises, including for targeted advertising, without providing notice or obtaining affirmative express consent
Everything you read after this should be with this in mind.
-
You can view the full terms of the settlement
It is interesting that GoodRX chose not to link to the original compliant, which includes the details that contradict the statements made on this page.
-
These statements are neither promises nor guarantees
It is very hard to believe in commitments made in documents when the document itself sends a notice to regulators that these are "not promises".
-
While we may elect to update such forward-looking statements at some point in the future, we disclaim any obligation to do so, even if subsequent events cause our views to change.
While I understand that this is boilerplate language for a public company, it reduces trust to say "If we change our mind and our policies, we reserve the right to keep this page up as it is".
This is a strong indication that this document exists as a message to investors and regulators primarily and not as letter to the patient community that make up GoodRX customers.
-
We’ve worked hard to earn that trust.
It is more reasonable to say:
"We have worked hard to monetize this trust, without totally panicking our customers" which is a more accurate statement.
-
GoodRx is a leader on data privacy.
Citation Needed.
The evidence against this.. is that this web page was ever nessecary.
-
No medical records were shared.
As noted before this is false.
-
No medical records were shared.
This is disingenuous and demonstrably false.
First, using the pixel was just one of the problems that the FTC covers. GoodRX injected specific medication data labels into the Facebook Graph, which means that portions of medical records were injected into Facebook by GoodRX.
This sentence might say "We did not explicitly share medical records with Facebook using the pixel". And be true.
Because even the fact "John Smith uses GoodRX to purchase medical information" meets the criteria for Personal Health Information under US law. This kind of information would count as Social Determinate of Health data which is now commonly part of Electronic Health Records.
This means that Facebook could have inferred portions of a medical record using the pixel on the GoodRx website.
-
The Facebook pixel continues to be used by many websites on the Internet, including U.S. Government websites, insurance companies, hospitals and others.
This is actually a good point.
In fact, I would suggest that GoodRX point out that only within the last month or two did Health and Human Services (HHS) Office of Civil Rights (OCR) clearly release guidance that the Facebook pixel was not HIPPA compliant.
-
At that time, we also added a number of new, industry-leading ways for consumers to protect their privacy, including an option to request the deletion of personal data.
This feature is required for GDPR compliance. GDPR does in fact cover US companies when they grow so large that they have EU citizens as customers.
GDPR came into effect in 2018, but it was complete in 2016.
This means that the single example from GoodRX of a "new industry leading way of protecting privacy" is in fact mere-compliance with industry regulation and best practice.
This is another example of GoodRX holding themselves out to be leaders, when in fact they are clearly playing a game of catch-up regarding their privacy practices.
-
took action to be an industry leader on privacy practices
This is a very generous way to refer to action that can only be classified as "we stopped screwing up" or "we were no longer abusing the privacy of our customers".
This is like saying "Last year we could not field an NBA team, and this year we can! Which is essentially the same as winning and NBA championship". Merely being in the NBA != being a championship team.
-
to advertise in a way that we believe was compliant
There are only two possibilities:
A. GoodRX understood exactly how the "Facebook data vacuum cleaner" worked, and decided: 'other people are doing this too.. so it is OK for us to do it'
or
B. GoodRX (like the rest of the world) did not really understand how Facebook operated until a watchdog told them that they were publishing medication data by advertising in the way they were.
If GoodRX understood what it was doing with Facebook (A) then it would have known that what it was doing was clearly a violation of their own privacy policies and therefore an FTC breach notification.
If GoodRX did not understand what it was doing with Facebook, then referring to this as "believing to be compliant" is disingenuous. "Believing that you are compliant" presumes that you have a reasonable understand of what you are doing.
-
proactively made updates
If the CEO of GoodRX had discovered that they were putting patient data into Facebook for the world to see, and then decided "hey we should not be doing this" and then instituted a change to stop that from happening. That would be "proactive".
But as the FTC compliant clearly documents, the actions that they took three years ago were in reaction to a privacy watchdog (and possibly more than one) discovering that they were sharing data when they should not.
It is not reasonable to use the phrase "proactively" when the correct word by all accounts is "reactively". This is an inappropriate spin on their previous failure, and factually inaccurate
-
-
www.ftc.gov www.ftc.gov
-
GoodRx is not a HIPAA-covered entity
This is confusing, since apparently a subsidiary of GoodRX is providing prescriptions through its service (making it certainly HIPAA covered) and then data from that entity was shared to Facebook by GoodRx...
-
GoodRx issued a public response
Here is that public response, which has not been taken down by GoodRX.. so it is only available on Wayback Machine
-
GoodRx also did not have any employee, manager, executive, or team formallydedicated to the management or oversight of GoodRx’s company-wide privacy and data sharingpractices
GoodRx refers to privacy as a "top priority".. but had no employees who were full-time assigned to working on it?
-
Rather, GoodRx agreed to each of these thirdparties’ standard terms of service, or entered into agreements that permitted each AdvertisingPlatform to use GoodRx users’ personal health information expansively, including for otheradvertising or for their own internal business purposes
This contradicts what GoodRX has said in its statements.
-
In August 2019, HeyDoctor began prompting users to view a GoodRx Coupon formedications prescribed during their telehealth consultation. When a user did so, GoodRxconfigured the pixel to share information about the prescribed medication with Facebook,through a Custom Event called “drug.” It shared the medication name (such as “nitrofurantoin”);dosage (such as “100 mg”); form (such as “capsule”); whether the user was interested in viewingthe GoodRx Coupon (such as “interested: Yes”); and the name and location of the users’pharmacy (such as “Pharmacy: Capsule Pharmacy, New York, NY”). The pixel also sharedusers’ IP address, and website microdata with additional information about the prescriptionmedication and health condition(s) for which users accessed GoodRx Coupons.
uhmm isnt this a HIPAA violation?
-
This included the name of the medication for which users accessed aGoodRx Coupon (“Drug Name,” such as “Lipitor”); the website URL, which in many casesincluded a medication name; the health condition related to the medication (“Drug Category,”such as “high cholesterol”); the medication quantity (“Drug Quantity,” such as “30-day supply”);the pharmacy name (“PharmName”); and the user’s city, state and zip code. The pixel alsocollected website microdata with additional information about the prescription medication andhealth condition(s) for which users accessed GoodRx Coupons. Finally, the pixel collectedusers’ IP addresses.
This is the details of what was collected by the pixel integration according the FTC
-
For example, GoodRx created Custom Events with names like“Drug Name” and “Drug Category” that tracked and shared the prescription medication nameand health condition(s) associated with each unique GoodRx Coupon that users accessed
This specifically contradicts GoodRX assertion that "medical records were never shared".
-
GoodRx displayed a seal at thebottom of the HeyDoctor homepage
-
GoodRx’s privacy policy representations described above were false anddeceptive. In fact, since 2017, GoodRx has shared its users’ personal and health informationwith Advertising Platforms and other third parties in violation of its promises, including fortargeted advertising, without providing notice or obtaining affirmative express consent.
This is the center of the FTC compliant against GoodRX.
-
[a]ny information we do receive is stored under the same guidelines as any healthentity.
-
Sensitive Data Principle
Here is the link to the DAA Sensitive Data Principle
-
Digital Advertising Alliance principles
- Here is a link to the current version of the principles.
- Here is a link to the version of the principles as of January 2019, which is the nearest wayback machine archive before March 2019.
- Here is the place on the GoodRX website where they continue to promote their participation in the DAA principles.
-
Digital Advertising Alliance(“DAA”)
Which can be found here
-
However, we never provide advertisers or any other third parties any information thatreveals a personal health condition or personal health information.1
This is the smoking gun. GoodRX made specific privacy commitments and then failed to live up to them.
-
GoodRx receives a portion of a feethat pharmacies pay to PBMs when users purchase medications using GoodRx Coupons
This is important because it means that GoodRX does not need to try and make money selling patient data. It has a business model, and violated patient privacy in search of another business model.
-
labeled them bythe medication they had purchased
This contradicts GoodRX statements that "no medical records were shared"
-
Case No. 23-cv-460
This is the FTC Compliant for the Good RX FTC Breach.
-
Until a consumer watchdog publicly revealedGoodRx’s actions in February 2020,
There are two watchdog events that qualify for this.
-
-
digitaladvertisingalliance.org digitaladvertisingalliance.org
-
The Sensitive Data Principle
This is the principle that was mentioned in the FTC compliant about GoodRX practices.
-
-
support.goodrx.com support.goodrx.com
-
GoodRx adheres to Digital Advertising Alliance principles.
This is one of the places on GoodRX website where GoodRX mentions that they adhere to Digital Advertising Alliance principles.
This is mentioned in the FTC Compliant about their privacy breaches.
-
-
www.ftc.gov www.ftc.gov
-
Case No. 3:23-cv-460
This document is the order for the FTC GoodRX PHR Breach Rule Settlement. This lists all of the things that GoodRX must do including paying a fine.
-
-
www.wfmynews2.com www.wfmynews2.com
-
No, HIPAA Doesn't Apply
Apparently, the FTC breach notification rule does apply.
It is possible that this article is one of the articles that is references in the recent FTC compliant on GoodRX
-
-
www.ftc.gov www.ftc.gov
-
The Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug discount provider GoodRx
This is the basic enforcement. I do not believe this went to court. And this is the first time this has ever been enforced.
-