GoodRx, Health Apps, and the High Cost of Weak Privacy

How a landmark FTC case against GoodRx exposed risky health data practices and what you can do to protect yourself.

By Sneha Tete, Integrated MA, Certified Relationship Coach
Created on

Digital health tools promise convenience, lower drug prices, and quick access to care. But the Federal Trade Commission (FTC) enforcement action against GoodRx shows that these benefits can come with a hidden price: the misuse of your most sensitive health information.

This article explains what happened in the GoodRx case, why it matters for anyone using health apps or telehealth platforms, and how you can better protect your health privacy online.

1. The Rise of Health Apps — and the Privacy Risk

Millions of people now rely on apps and websites to:

  • Compare prescription drug prices and find discounts
  • Track medications, lab results, and chronic conditions
  • Schedule virtual visits with clinicians
  • Monitor fitness, sleep, fertility, or mental health

GoodRx is one of the most widely used platforms in this space. It provides prescription discount coupons and offers telehealth services that let users access virtual visits and manage parts of their ongoing care.

Because these services touch on medical conditions, prescriptions, and other sensitive details, regulators expect companies to treat the resulting data with care. That includes being truthful about their privacy practices and complying with federal rules when something goes wrong.

2. What GoodRx Promised vs. What It Did

According to the FTC and the U.S. Department of Justice (DOJ), GoodRx repeatedly made privacy promises it did not keep.

2.1 Key promises to users

Publicly and in its privacy policy, GoodRx represented that it would:

  • Not share personal health information with advertisers or other third parties in ways that reveal users’ health conditions or prescriptions.
  • Share data only for limited purposes and subject to confidentiality obligations.
  • Honor self-regulatory guidelines, including rules that restrict the use of prescription and medical data for advertising.
  • Operate under privacy protections comparable to those covered by federal health privacy law, sometimes reinforced visually with a “HIPAA-like” or HIPAA-related seal on its telehealth site.
Read More

The Future of AI: Preventing a Big Tech Monopoly >

The Future of AI: Preventing a Big Tech Monopoly

Consumers could reasonably assume from those statements that their medication histories and health concerns would not be used to fuel advertising campaigns.

2.2 What regulators say actually happened

In its complaint and settlement order, the FTC alleged that GoodRx:

  • Shared sensitive health data with advertising and analytics firms — including Facebook, Google, Criteo, Branch, and Twilio — for years.
  • Sent information that could reveal specific conditions and prescriptions, such as erectile dysfunction drugs or treatments for sexually transmitted infections.
  • Used that data to target users with personalized health-related ads on platforms like Facebook and Instagram, by uploading identifiable contact information and mobile advertising IDs tied to particular medications.
  • Did not adequately limit how these third parties could use or retain the data, allowing them to leverage it for their own internal purposes, such as improving advertising systems.
  • Displayed messaging and seals that wrongly implied compliance with HIPAA, even though GoodRx and similar apps typically are not HIPAA-covered entities.

Regulators said these actions directly contradicted GoodRx’s privacy representations and misled users about how their health data would be handled.

3. The Laws at the Center of the Case

The FTC action relied primarily on two legal frameworks: the FTC Act and the Health Breach Notification Rule.

3.1 Deceptive practices under the FTC Act

The FTC Act prohibits unfair or deceptive acts or practices in commerce. When a company tells consumers it will protect their data in specific ways but behaves differently, the FTC can treat that as deception.

In the GoodRx matter, the FTC alleged GoodRx violated the FTC Act by:

  • Making false or misleading statements in its privacy policy and marketing materials about data sharing and advertising uses.
  • Misrepresenting its adherence to digital advertising self-regulatory principles and HIPAA-related protections.

3.2 The Health Breach Notification Rule (HBNR)

The Health Breach Notification Rule applies to certain vendors of personal health records and related services that are not covered by HIPAA.

Among other things, the rule generally requires these companies to notify:

  • Affected consumers
  • The FTC
  • In some cases, the media

when there is a breach involving unsecured, individually identifiable health information.

The FTC alleged that GoodRx met the definition of a vendor of personal health records because it let users store and manage their medication and health information, yet:

  • Failed to provide required notifications after disclosing identifiable health information to third-party platforms without proper authorization.

The GoodRx case was notable because it was one of the first major enforcement actions explicitly using the Health Breach Notification Rule against a digital health platform.

4. What the Settlement Requires from GoodRx

To resolve the FTC’s allegations, GoodRx agreed to a court order with several far-reaching obligations.

Requirement What It Means in Practice
Ban on sharing health data for advertising GoodRx is permanently prohibited from disclosing user health information to applicable third parties for targeted advertising purposes.
Express user consent for other sharing The company must obtain affirmative express consent before sharing health data with relevant third parties for other uses and must clearly describe what data will be shared and why.
Data deletion obligations GoodRx must direct third parties that previously received sensitive health data to delete it and must notify users about the disclosures and the FTC action.
Data retention limits The company has to adopt and publish a data retention schedule and can keep personal health information only for specific, disclosed purposes and time periods.
Comprehensive privacy program GoodRx must implement a robust privacy program, designate responsible personnel, conduct regular risk assessments, and subject the program to periodic independent reviews.
Monetary penalty GoodRx agreed to pay a civil penalty of $1.5 million as part of the settlement with the FTC and DOJ.

Separate from the FTC case, GoodRx later agreed to a proposed $25 million class-action settlement over related allegations brought by consumers, which is subject to court approval.

5. Why This Case Matters Beyond GoodRx

The GoodRx enforcement action sends a broader message to the digital health industry and to consumers.

5.1 The FTC expects honesty about privacy promises

Regulators emphasized that companies cannot “cash in” on extremely sensitive health information while telling users their data is safe or will not be used for advertising. When privacy policies or marketing claims are inconsistent with internal data practices, enforcement risk is high.

5.2 Health data is broader than traditional medical records

Health information now flows through:

  • Telehealth platforms and e-visit tools
  • Discount card providers and pharmacy comparison sites
  • Mental health and wellness apps
  • Wearables and activity trackers

Even when HIPAA does not apply, the FTC and other regulators have made clear that companies handling health-related data must still comply with general consumer protection laws and, in some cases, specific rules like the Health Breach Notification Rule.

5.3 Design tricks (dark patterns) are under scrutiny

The settlement order also highlights concern about so-called dark patterns — interface designs that nudge or pressure users into sharing data or agreeing to terms they might not otherwise accept. Under the order, GoodRx must obtain consent in ways that are clear, straightforward, and free of manipulative design tactics.

6. How to Protect Your Health Privacy on Apps and Websites

While enforcement actions set important boundaries, consumers still have to make choices every time they download an app or create an account. You can reduce risk by taking a few practical steps.

6.1 Read (or at least scan) privacy policies strategically

You do not have to read every word, but look for key points:

  • What data is collected? Does it include diagnoses, prescriptions, location history, device IDs, or contacts?
  • Who is it shared with? Are advertisers, analytics services, or “business partners” mentioned?
  • Is data used for targeted advertising? Many policies explicitly reference advertising networks or personalized ads.
  • How long is data kept? Vague language like “for as long as necessary” can mean very long retention periods.

6.2 Adjust settings before you start using the service

Look for toggles and controls that may reduce data sharing:

  • Disable personalized or interest-based advertising if the option exists.
  • Turn off unnecessary location tracking.
  • Opt out of data sharing with “partners” where possible.
  • Use the most privacy-protective configuration by default.

6.3 Be cautious with cross-platform sign-ins and trackers

Signing in with large platforms (for example, social network accounts) or granting broad tracking permissions can make it easier to link your health activities to social media profiles or advertising IDs.

  • Consider using email/password logins rather than social sign-ins.
  • Limit permissions for tracking and analytics SDKs when your device or browser allows it.

6.4 Take advantage of your rights

Depending on where you live, privacy laws may give you rights to:

  • Access a copy of your data
  • Delete certain information
  • Opt out of targeted advertising or the sale of personal data

Companies often describe these rights in their privacy policies or provide web forms for making requests. Using these tools can reduce the amount of health-related data circulating among third parties.

7. Compliance Lessons for Digital Health Companies

The GoodRx case is also a roadmap of what regulators expect from digital health businesses.

7.1 Align public promises with actual practices

  • Ensure privacy policies accurately reflect data flows, including any sharing with advertisers, analytics providers, or social media platforms.
  • Avoid broad claims such as “we never share your health information” unless that statement is strictly true.
  • Review statements from executives, marketing materials, and in-app messaging for consistency with actual practices.

7.2 Build a real privacy program, not just paperwork

Regulators expect companies to have structured governance over data, including:

  • Designated privacy leadership and clear accountability lines.
  • Routine privacy and security risk assessments.
  • Written, enforceable policies on data sharing, retention, and incident response.
  • Vendor contracts that strictly limit third-party use of data to defined purposes and ban re-use for independent advertising or profiling.

7.3 Prepare for breach notification obligations

If a digital health provider qualifies as a vendor of personal health records, the Health Breach Notification Rule may require prompt notice to users, the FTC, and sometimes the media when there is an unauthorized disclosure.

Organizations should:

  • Map where health-related data resides and how it flows to third parties.
  • Define what constitutes a reportable “breach” under applicable laws.
  • Establish incident response plans that include regulatory notification steps.

8. Frequently Asked Questions (FAQs)

Q1: Does HIPAA protect my information in apps like GoodRx?

Not necessarily. HIPAA typically covers health plans, most health care providers, and their business associates — not all consumer apps. Many discount, telehealth, or wellness apps fall outside HIPAA but are still subject to the FTC Act and, in some cases, the Health Breach Notification Rule.

Q2: What counts as “sensitive” health information in this context?

Sensitive health information includes data that can reveal an individual’s physical or mental health conditions, treatment history, prescriptions, or other medical details. In the GoodRx case, information about specific medications and conditions, combined with identifiers like email addresses or device IDs, was treated as sensitive.

Q3: How can I tell if a health app shares my data with advertisers?

Check the privacy policy for references to targeted advertising, analytics partners, advertising networks, social media pixels, or sharing with “marketing partners.” If an app uses tracking tools from major platforms, it may be transmitting data that can support ad targeting.

Q4: What should I do if I think my health app mishandled my data?

You can contact the company to ask for an explanation or to exercise any access, deletion, or opt-out rights the app offers. You may also report concerns to the FTC, your state attorney general, or other relevant regulators if you believe a company’s privacy practices are deceptive or violate privacy laws.

Q5: Are other digital health companies facing similar scrutiny?

Yes. Following the GoodRx action, the FTC has brought cases against other health-related platforms for allegedly improper data sharing and misleading privacy statements. The agency has also issued policy statements warning apps and connected devices that collect health data to comply with the Health Breach Notification Rule.

References

  1. GoodRx’s not-so-good privacy practices come to light — Federal Trade Commission. 2023-02-01. https://consumer.ftc.gov/consumer-alerts/2023/02/goodrxs-not-so-good-privacy-practices-come-light
  2. FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising — Federal Trade Commission. 2023-02-01. https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising
  3. FTC Brings First of its Kind Enforcement Action against GoodRx for Violating the Health Breach Notification Rule — WilmerHale. 2023-02-03. https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20230203-ftc-brings-first-of-its-kind-enforcement-action-against-goodrx-for-violating-the-health-breach-notification-rule
  4. FTC Enforces Health Breach Notification Rule against GoodRx in First-of-its-Kind Enforcement Action — Ropes & Gray. 2023-02-07. https://www.ropesgray.com/en/insights/alerts/2023/02/ftc-enforces-health-breach-notification-rule-against-goodrx-in-first-of-its-kind-enforcement-action
  5. FTC’s Enforcement Action Against GoodRx Breathes New Life into Decade-Old Regulation — Health Law Rx (Akerman). 2023-02-10. https://www.healthlawrx.com/2023/02/ftcs-enforcement-action-against-goodrx-breathes-new-life-into-decade-old-regulation/
  6. GoodRx Agrees to Pay $25 Million Settlement for Privacy Violations — Hunton Andrews Kurth. 2023-07-13. https://www.hunton.com/privacy-and-information-security-law/goodrx-agrees-to-pay-25-million-settlement-for-privacy-violations
Sneha Tete
Sneha TeteBeauty & Lifestyle Writer
Sneha is a relationships and lifestyle writer with a strong foundation in applied linguistics and certified training in relationship coaching. She brings over five years of writing experience to waytolegal,  crafting thoughtful, research-driven content that empowers readers to build healthier relationships, boost emotional well-being, and embrace holistic living.

Read full bio of Sneha Tete