GoodRx has agreed to a $25 million preliminary settlement in a class-action lawsuit alleging the company shared sensitive user information with third parties through online tracking tools, violating privacy, wiretapping, and other laws.
The plaintiffs in the consolidated case filed a motion in the U.S. District Court for the Northern District of California, seeking approval of the settlement. The lawsuit alleges that between 2017 and 2020, GoodRx disclosed sensitive personal and health information (like prescription details, email addresses, and phone numbers) to advertisers, including Meta, Google, and Criteo, via online tracking software.
While the proposed settlement covers GoodRx, it excludes these co-defendants, allowing plaintiffs to pursue claims against Meta, Google, and Criteo separately.
GoodRx denies any wrongdoing, claiming it has “good and meritorious defenses” but chose to settle to avoid prolonged litigation.
The settlement follows a 2023 Federal Trade Commission (FTC) enforcement action against GoodRx. The FTC fined the company $1.5 million for failing to disclose its data-sharing practices and prohibited it from sharing user health data for advertising purposes.
The $25 million fund will cover class member compensation, legal fees (up to $8.3 million), and administrative costs. Individual payouts depend on the number of valid claims.
Alleged violations include state wiretapping laws, healthcare protection statutes, and consumer privacy rights. The plaintiffs contend that these actions unjustly increased GoodRx's wealth at the expense of customers.
“Given the scope of the matter and the fact that it relates to individually identifiable health information, the settlement is not surprising and something that all boards should be looking at closely,” said Rachel Rose, a regulatory attorney not involved in the case.
There is growing legal and regulatory pressure on companies using tracking tools in sensitive sectors like healthcare. Moreover, these companies can face potential data privacy violations that result in hefty settlements and erode consumer trust.
Companies must comply with regulations like the FTC’s Health Breach Notification Rule to avoid similar legal and financial repercussions.
Go deeper: FTC and HIPAA Breach Notification Rules: What's the difference?
The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).
HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.
HIPAA rules apply to healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle patients’ protected health information (PHI).
HIPAA compliant email, like Paubox, offers audit trails, access controls, and malware scanning. These features track PHI access and limit threat exposure, enhancing security against phishing and malware attacks.
Furthermore, Paubox email meets HIPAA’s Security Rule, helping organizations avoid penalties after a cyber incident.
Learn more: HIPAA Compliant Email: The Definitive Guide