Here is that public response, which has not been taken down by GoodRX.. so it is only available on Wayback Machine

GoodRx refers to privacy as a "top priority".. but had no employees who were full-time assigned to working on it?

This contradicts what GoodRX has said in its statements.

uhmm isnt this a HIPAA violation?

This is the details of what was collected by the pixel integration according the FTC

This specifically contradicts GoodRX assertion that "medical records were never shared".

Here is a link to wayback machine which shows the webpage as of Sept 2019

This is the center of the FTC compliant against GoodRX.

Here is the link to that tweet.

Here is the link to the DAA Sensitive Data Principle

• Here is a link to the current version of the principles.
• Here is a link to the version of the principles as of January 2019, which is the nearest wayback machine archive before March 2019.
• Here is the place on the GoodRX website where they continue to promote their participation in the DAA principles.

Which can be found here

This is the smoking gun. GoodRX made specific privacy commitments and then failed to live up to them.

This is important because it means that GoodRX does not need to try and make money selling patient data. It has a business model, and violated patient privacy in search of another business model.

This contradicts GoodRX statements that "no medical records were shared"

This is the FTC Compliant for the Good RX FTC Breach.

• Here is the resulting order/settlement document.
• Here is the GoodRX response to the order

There are two watchdog events that qualify for this.

• GoodRx saves money on meds but it also shares data with Google, Facebook, and others
• GoodRx Shares My Prescriptions With Third Parties—and It's Perfectly Legal

If this were true. This article would not be necessary.

I think its fair to say that privacy is a "priority" for GoodRX. But not "one of our most important".

The fact that this non-apology letter exists indicates that your legal liability concerns and investor relations issues are far more important than patient privacy.

If patient privacy were "one of our most important" priorities at GoodRX then this document would be a readout of a post-mortem on the mistakes made and the steps taken to address those mistakes.

The FTC compliant specifically states:

GoodRx also did not have any employee, manager, executive, or team formally dedicated to the management or oversight of GoodRx’s company-wide privacy and data sharing practices

GoodRX now has full-time privacy executives. But at the time, patient privacy was not so important that they could have someone attached to it. Not sure what "top priority" means, but this does not sound like it.

This is not true.

They shared data with Facebook and Facebooks "confidentiality provisions" say "This is ours now and we will make this public". And they did in fact share the information. Which is how the watchdog found out about it.

Specifically, the FTC stated in its compliant:

...GoodRx has taken no action to limit how Advertising Platforms like Facebook, Google, and Criteo, and other third parties like Branch and Twilio, could use the personal health information it shared with them. Rather, GoodRx agreed to each of these third parties’ standard terms of service, or entered into agreements that permitted each Advertising Platform to use GoodRx users’ personal health information expansively, including for other advertising or for their own internal business purposes

The FTC compliant contradicts this saying:

This included the name of the medication for which users accessed a GoodRx Coupon (“Drug Name,” such as “Lipitor”); the website URL, which in many cases included a medication name; the health condition related to the medication (“Drug Category,” such as “high cholesterol”); the medication quantity (“Drug Quantity,” such as “30-day supply”); the pharmacy name (“PharmName”); and the user’s city, state and zip code. The pixel also collected website microdata with additional information about the prescription medication and health condition(s) for which users accessed GoodRx Coupons. Finally, the pixel collected users’ IP addresses. In May 2019, GoodRx configured the pixel to automatically share with Facebook additional personal information, including user first and last name; email address; phone number; city, state, and zip code; and gender

Just to be clear.

GoodRx took information from its customers. Promised that it would not share information with third parties, and then shared it with Facebook anyway.

The FTC Compliant summarizes the matter like this:

GoodRx’s privacy policy representations described above were false and deceptive. In fact, since 2017, GoodRx has shared its users’ personal and health information with Advertising Platforms and other third parties in violation of its promises, including for targeted advertising, without providing notice or obtaining affirmative express consent

Everything you read after this should be with this in mind.

It is interesting that GoodRX chose not to link to the original compliant, which includes the details that contradict the statements made on this page.

Here is the link to the GoodRX FTC Compliant.

It is very hard to believe in commitments made in documents when the document itself sends a notice to regulators that these are "not promises".

While I understand that this is boilerplate language for a public company, it reduces trust to say "If we change our mind and our policies, we reserve the right to keep this page up as it is".

This is a strong indication that this document exists as a message to investors and regulators primarily and not as letter to the patient community that make up GoodRX customers.

It is more reasonable to say:

"We have worked hard to monetize this trust, without totally panicking our customers" which is a more accurate statement.

Citation Needed.

The evidence against this.. is that this web page was ever nessecary.

As noted before this is false.

This is disingenuous and demonstrably false.

First, using the pixel was just one of the problems that the FTC covers. GoodRX injected specific medication data labels into the Facebook Graph, which means that portions of medical records were injected into Facebook by GoodRX.

This sentence might say "We did not explicitly share medical records with Facebook using the pixel". And be true.

Because even the fact "John Smith uses GoodRX to purchase medical information" meets the criteria for Personal Health Information under US law. This kind of information would count as Social Determinate of Health data which is now commonly part of Electronic Health Records.

This means that Facebook could have inferred portions of a medical record using the pixel on the GoodRx website.

This is actually a good point.

In fact, I would suggest that GoodRX point out that only within the last month or two did Health and Human Services (HHS) Office of Civil Rights (OCR) clearly release guidance that the Facebook pixel was not HIPPA compliant.

• The announcement of the OCR guidance on Dec 1 2022
• The OCR guidance itself

This feature is required for GDPR compliance. GDPR does in fact cover US companies when they grow so large that they have EU citizens as customers.

GDPR came into effect in 2018, but it was complete in 2016.

This means that the single example from GoodRX of a "new industry leading way of protecting privacy" is in fact mere-compliance with industry regulation and best practice.

This is another example of GoodRX holding themselves out to be leaders, when in fact they are clearly playing a game of catch-up regarding their privacy practices.

This is a very generous way to refer to action that can only be classified as "we stopped screwing up" or "we were no longer abusing the privacy of our customers".

This is like saying "Last year we could not field an NBA team, and this year we can! Which is essentially the same as winning and NBA championship". Merely being in the NBA != being a championship team.

There are only two possibilities:

A. GoodRX understood exactly how the "Facebook data vacuum cleaner" worked, and decided: 'other people are doing this too.. so it is OK for us to do it'

or

B. GoodRX (like the rest of the world) did not really understand how Facebook operated until a watchdog told them that they were publishing medication data by advertising in the way they were.

If GoodRX understood what it was doing with Facebook (A) then it would have known that what it was doing was clearly a violation of their own privacy policies and therefore an FTC breach notification.

If GoodRX did not understand what it was doing with Facebook, then referring to this as "believing to be compliant" is disingenuous. "Believing that you are compliant" presumes that you have a reasonable understand of what you are doing.

If the CEO of GoodRX had discovered that they were putting patient data into Facebook for the world to see, and then decided "hey we should not be doing this" and then instituted a change to stop that from happening. That would be "proactive".

But as the FTC compliant clearly documents, the actions that they took three years ago were in reaction to a privacy watchdog (and possibly more than one) discovering that they were sharing data when they should not.

It is not reasonable to use the phrase "proactively" when the correct word by all accounts is "reactively". This is an inappropriate spin on their previous failure, and factually inaccurate

This is the principle that was mentioned in the FTC compliant about GoodRX practices.

This is one of the places on GoodRX website where GoodRX mentions that they adhere to Digital Advertising Alliance principles.

This is mentioned in the FTC Compliant about their privacy breaches.

This document is the order for the FTC GoodRX PHR Breach Rule Settlement. This lists all of the things that GoodRX must do including paying a fine.

• Here is the original FTC Compliant
• Here is the GoodRX Response to this compliant and order

Apparently, the FTC breach notification rule does apply.

It is possible that this article is one of the articles that is references in the recent FTC compliant on GoodRX

This is the basic enforcement. I do not believe this went to court. And this is the first time this has ever been enforced.

HIPAA pretty much rolls over for law enforcement. Hard to imagine a circumstance where the law would protect a healthcare provider who refused to cooperate with a warrant or other request that they felt was an unreasonable invasion of their patients privacy, or the doctor-patient relationship.

This is as good a summary of the assignment changes as I have seen anywhere

It says "yes" but many have argued that these two constraints essentially mean "no"

These also seem to be the "purpose" of the ACO...

Not sure if this counts as a predecessor to Big data...