GoodRx has had better days. And so have its users. A recent Consumer Reports article revealed the application that offers users discounted options on costly prescriptions was also providing user data to more than twenty online companies. Details like what drugs people were researching were forwarded to Google, Facebook, and marketing firm Braze. Other information sent out allowed these companies to pinpoint whose device is being used to search.
The startup's mission to help people access affordable and convenient healthcare is admirable. Still, the lapse in data protection led them to issue their statement: “A recent story in Consumer Reports… suggested that we were sharing more personal information with some third-party advertising platforms than we intended. Their feedback led us to re-examine our policies. In the course of our review, we found that in the case of Facebook advertising, we were not living up to our own standards. For this, we are truly sorry, and we will do better,” the company stated.
Many consumers who signed onto GoodRx’s services might believe that the app-provider falls under HIPAA (Health Insurance Portability and Accountability Act) rules. However, that is not the case with companies like the online pharmacy finder. Interestingly, several of the digital, direct-to-consumer companies that provide services linked to personal health data collection do not qualify as "covered entities" under the Act. Due to this gap in regulation, GoodRx can disseminate sensitive information to other firms without being bound to these standards.
However, the prescription-finder issued its statement outlining the changes they would be making to their privacy policies and practices. For example, GoodRx plans to ensure that no drug name or condition entered into the search bar is shared with Facebook – even in an encrypted form. Additionally, web usage data passed on to Google will be encrypted and audited according to strict privacy standards.
The firm is also committed to reviewing their contracts with third-party providers to meet the highest standards of data privacy – even HIPAA standards, when appropriate. GoodRx will also extend consumer protections required under the CCPA (California Consumer Privacy Act), including an opt-out, data deletion requests – and will make this available to all users regardless of California residency. More importantly, it has appointed a VP of data privacy, who will be overseeing data privacy efforts.
GoodRx also expanded on why they used third-party providers. Braze, for example, is a messaging service that provides email or text reminders for prescription refills and if the firm has located a better price on the user's prescription. The company also spoke about advertising with Facebook and Google to get the word out about its services. In each case, the firm qualified if people could opt-in and out, what privacy standards were being used, and how information was anonymized if shared.
In the end, the firm offered an olive branch to users and invited them to be part of the $1 billion that GoodRx helps customers save every year on prescriptions and healthcare. They stated they could still help them save money while putting privacy first.