By Natasha Singer | The New York Times

Millions of Americans have used GoodRx, a Santa Monica-based drug discount app, to search for lower prices on prescriptions like antidepressants, HIV medications and treatments for sexually transmitted diseases at their local drugstores.

But U.S. regulators say the app’s coupons and convenience came at a high cost for users: wrongful disclosure of their intimate health information.

On Wednesday, the Federal Trade Commission accused the app’s developer, GoodRx Holdings, of sharing sensitive personal data about users’ prescription medications and illnesses with companies like Facebook and Google without authorization.

The company’s information-sharing practices, the agency said, violated a federal rule requiring health apps and fitness trackers that collect personal health details to notify consumers of data breaches.

While GoodRx agreed to settle the case, it said it disagreed with the agency’s allegations and admitted no wrongdoing.

The crackdown on GoodRx comes at a moment of heightened concern over the leaking of sensitive health information, particularly in states that have banned or severely limited abortions. And it underscores the FTC’s intensifying efforts to push digital health services to beef up their user privacy and security protections.

The FTC’s case against GoodRx could upend widespread user-profiling and ad-targeting practices in the multibillion-dollar digital health industry, and it puts companies on notice that regulators intend to curb the nearly unfettered trade in consumers’ health details.

Over the last two decades, startups and giant tech companies have introduced a range of fitness devices, smartwatches and fertility apps. But unlike a person’s blood test results and other patient information collected by doctors and hospitals — which is protected by a federal law, the Health Insurance Portability and Accountability Act, known as HIPAA — there are few legal protections that specifically cover personal health details, like the names of drugs or diseases, that tens of millions of consumers enter into apps or search for online.

In 2019, GoodRx uploaded the contact information of users who had bought certain medications, like blood pressure pills, to Facebook so that the drug discount app could identify its users’ social media profiles, the FTC said in a legal complaint. GoodRx then employed the personal information to target users with ads for medications on Facebook and Instagram, the agency said.

Those data disclosures, the agency said, flouted public promises the company had made to “never provide advertisers any information that reveals a personal health condition.”

If a judge approves the proposed federal settlement order, GoodRx would be permanently barred from sharing users’ health information for advertising purposes. To settle the case, the company also agreed to pay a $1.5 million civil penalty for violating the health breach notification rule.

GoodRx said in a statement that user privacy was one of its most important priorities. The company added that the settlement with the agency focused on issues that GoodRx resolved three years ago, before the FTC inquiry began.