GoodRx Sold Your Health Secrets to Facebook
TL;DR
- GoodRx, the prescription discount app used by 55.4 million consumers since January 2017, secretly shared users’ most sensitive medical data with Facebook, Google, Criteo, and other third parties for years.
- The data included specific prescription drug names, health conditions, telehealth Treatment Page visits, email addresses, phone numbers, home addresses, dates of birth, and mobile advertising IDs β all without user knowledge or consent.
- GoodRx then weaponized that data to build Facebook “Custom Audiences” sorted by medication and health condition, running targeted ad campaigns about drugs like Viagra, Cialis, HIV treatment, and birth control β using your own medical secrets to sell back to you.
- GoodRx had no formal internal privacy policies before February 2020. Zero. No dedicated privacy officer. No review process for data sharing. Marketing employees were creating health-data-sharing events with no oversight whatsoever.
- Even after GoodRx publicly said it stopped sharing health data with Facebook in February 2020, it kept transmitting health information to Facebook until at least November 2020.
- The U.S. Department of Justice, acting on behalf of the FTC, filed this federal complaint on February 1, 2023 (Case No. 23-cv-460), charging GoodRx with eight counts of violating the FTC Act and the Health Breach Notification Rule.
- GoodRx plastered a fake “HIPAA Secure. Patient Data Protected.” seal on its HeyDoctor telehealth service. The federal complaint confirms GoodRx is not a HIPAA-covered entity. The seal was a lie.
The full list of targeted ad campaigns β sorted by medication and health condition, including HIV, erectile dysfunction, pregnancy, and STD testing β is reproduced verbatim from the federal complaint in Legal Receipts.
The App That Knew Your Prescriptions and Told Facebook
Case No. 23-cv-460 Data Breach FTC Act Β§5GoodRx built its entire brand on a single promise: we help working people afford medicine, and we keep your health information private. The company, headquartered in Santa Monica, California, positioned itself as an ally of the uninsured and underinsured. It offered prescription discount cards, comparison tools for pharmacy prices, and eventually telehealth visits through its subsidiary HeyDoctor. Since January 2017, 55.4 million consumers have used its website or mobile app. That is not a niche service. That is a substantial slice of the American population, many of whom turned to GoodRx precisely because they could not afford the full cash price of prescription medications and lacked comprehensive insurance coverage.
The federal complaint, filed by the United States Department of Justice acting on behalf of the Federal Trade Commission on February 1, 2023, describes what GoodRx was actually doing with those 55.4 million users’ information. The short answer: selling it. The longer answer is documented across 27 pages of federal legal filings. GoodRx integrated tracking tools β specifically, tracking “pixels” and Software Development Kits (SDKs) β from Facebook, Google, and a digital advertising company called Criteo directly into its website and mobile app. These tools were configured to automatically harvest and transmit users’ health data to those advertising platforms. The data included the names of specific prescription drugs users searched for or purchased. It included the health conditions associated with those drugs. It included pharmacy names and locations. It included users’ IP addresses, their precise latitude and longitude coordinates (in the case of Google’s Android and iOS SDKs), and unique advertising identifiers like Apple’s IDFA and Android’s AAID β identifiers specifically designed to allow advertisers to track individuals across apps and devices.
None of this was disclosed to users. GoodRx’s privacy policy during this period said the opposite. Between at least October 2017 and March 2019, GoodRx’s written policy included the explicit promise: “However, we never provide advertisers or any other third parties any information that reveals a personal health condition or personal health information.” The complaint notes that in March 2019, GoodRx quietly removed the phrase “or any other third parties” from that sentence. Then, in April 2019, it removed the entire sentence from its privacy policy with no notice to users. No announcement. No explanation. The promise just disappeared from the document, like it had never existed.
Meanwhile, the data kept flowing. GoodRx did not just passively allow the tracking pixels to collect ambient data. It actively configured Custom Events β descriptively named data packets β that specifically labeled and transmitted health information. Rather than using anonymous labels like “Event_1,” the company chose names like “Drug Name,” “Drug Category,” and “Drug Quantity” for these events. The complaint is explicit on this point: GoodRx chose descriptive titles that conveyed health information about its users. This was a deliberate engineering choice. Someone at GoodRx decided to label those data packets with the actual names of drugs and medical conditions. That decision sent users’ health information to Facebook with a readable, plaintext label attached.
β Federal Complaint, Paragraph 5, Case No. 23-cv-460
The pivot from passive data leak to active exploitation happened through Facebook’s own advertising infrastructure. Using Facebook’s “Ads Manager” and its “Custom Audiences” feature, GoodRx took the health data it had already sent to Facebook and used it to build targeted advertising audiences sorted by medical profile. It created audience lists named things like “atorvastatin claims” β a list of Facebook users who had purchased that particular heart medication through a GoodRx coupon. It then used those lists to serve those specific users targeted advertisements about the very drugs and conditions that had identified them as members of that audience. Facebook employees had access to GoodRx’s Ads Manager account, including those descriptively named Custom Audience lists that referenced specific drugs and health conditions. Facebook itself later determined that GoodRx had violated its own advertising policy terms, which prohibit the sharing of health information with the platform.
The Non-Financial Ledger: What Was Actually Stolen From You
There is a reason medical information is supposed to be private. It is the same reason you close the curtain when you undress, the same reason you speak quietly to a pharmacist at the counter. Health information is a map of your body’s vulnerabilities, your life’s turning points, your private struggles and private choices. It reveals where you are afraid, where you are in pain, and what you are trying to hide or manage or survive. The federal complaint spells out the categories of information that GoodRx exposed: chronic physical or mental health conditions, medical treatments and treatment choices, life expectancy, disability status, parental status, substance addiction, sexual and reproductive health, and sexual orientation. Read that list again. Each item on that list is a reason someone could lose a job, lose housing, lose insurance coverage, or lose the trust and respect of people they depend on.
Consider what it means for a person’s sexual health information to be in Facebook’s data systems, tagged by name and linked to their profile. HeyDoctor, GoodRx’s telehealth subsidiary, ran targeted advertising campaigns targeting users who had visited its Treatment Pages for sexually transmitted diseases, HIV, and erectile dysfunction. The complaint documents a campaign running from November 1, 2018 through February 20, 2019, in which HeyDoctor targeted Facebook users who had visited its STD-testing Treatment Page with advertisements promoting those testing services. A campaign from November 1 through December 6, 2019 targeted users who had viewed HeyDoctor’s erectile dysfunction Treatment Page. These were people who had gone to a health platform seeking help with something deeply personal. They did not consent to that visit being relayed to Facebook, catalogued, and used to put ads on their feed that could be seen by anyone looking over their shoulder at a phone or a laptop.
The harm of this kind of exposure is not theoretical. The federal complaint acknowledges explicitly that unauthorized disclosure of this information “is likely to cause GoodRx users stigma, embarrassment, or emotional distress, and may also affect their ability to obtain or retain employment, housing, health insurance, disability insurance, or other services.” Employment. Housing. Insurance. These are not abstract concerns. These are the concrete, material consequences of a corporation deciding that your medical history is its revenue source. Employers make assumptions about productivity and reliability based on health conditions. Landlords discriminate. Insurance companies find ways to raise rates or deny coverage when they have access to health profiles they were never supposed to have. GoodRx handed the ingredients for those discriminatory decisions to some of the most powerful data aggregators on earth, for years, without telling anyone it was doing so.
The betrayal is compounded by who GoodRx’s users are. People who use prescription discount apps are, by definition, people who are navigating the American healthcare system on a budget. They are the uninsured, the underinsured, people on fixed incomes, people managing chronic illness without the cushion of comprehensive employer-sponsored coverage. GoodRx held itself out as a tool for exactly those people. It positioned itself as an ally against a broken, expensive healthcare system. Its marketing promise was: we are on your side, we will help you afford your medication, and your health information is safe with us. The people who most needed to trust that promise β people managing HIV, diabetes, heart disease, mental health conditions, substance addiction, reproductive health β were the people whose data was being packaged, labeled, and fed into Facebook’s advertising machine. That is a specific and deliberate targeting of vulnerability.
GoodRx’s telehealth product, HeyDoctor, added another dimension of betrayal. When a patient had a medical consultation through HeyDoctor and a doctor prescribed a medication during that session, GoodRx configured a tracking pixel that would transmit data about that prescription to Facebook the moment the user was shown a GoodRx coupon for the drug. The data shared included the specific medication name, dosage, pill form, and pharmacy location. The complaint gives the example of the medication nitrofurantoin β an antibiotic commonly prescribed for urinary tract infections β along with dosage, capsule form, and the name and city of the patient’s pharmacy. That information went to Facebook. A patient believed they were in a private medical consultation. They were also, simultaneously, in a data collection pipeline feeding a global advertising corporation.
And when all of this came to light β when Consumer Reports published its investigation in February 2020 β GoodRx’s response was to lie publicly about the scope of the problem while privately scrambling to fix the mess. Its February 28, 2020 public statement said: “[w]e . . . do not target users with advertising specifying any particular medication based on our data.” The federal complaint documents at least nine distinct targeted advertising campaigns run between 2017 and 2020, each organized by specific drug name or health condition. GoodRx’s public denial was issued while the federal evidence of those campaigns existed in GoodRx’s own Ads Manager account, accessible to Facebook employees. Furthermore, even after GoodRx claimed it had stopped sharing health data with Facebook, the transmission continued. For users who had cached the tracking pixel on their browsers, data kept flowing to Facebook between April 2020 and November 2020. GoodRx did not notify those users. The Health Breach Notification Rule requires notification. GoodRx did not comply.
Legal Receipts: What the Federal Complaint Says, Word for Word
Verbatim Citations Eight Federal Counts[Note from complaint: “In or around March 2019, GoodRx removed the phrase ‘or any other third parties’ from this promise. In or around April 2019, GoodRx quietly removed this entire sentence from its privacy policy, without providing any notice to users of the change.”] Complaint ΒΆ27 and footnote 1, GoodRx Privacy Policy Promise (October 2017 β March 2019), Case No. 23-cv-460
“In truth and in fact, GoodRx is not a HIPAA-covered entity, and its privacy and information practices did not comply with HIPAA’s requirements.” Complaint ΒΆΒΆ37 and 100, Case No. 23-cv-460
“[W]e . . . do not target users with advertising specifying any particular medication based on our data.” Complaint ΒΆΒΆ57β58 β GoodRx Public Statement, February 28, 2020, Case No. 23-cv-460
The complaint documents the full timeline of targeted advertising campaigns that GoodRx ran on Facebook and Instagram using users’ health data. These are drawn directly and verbatim from Paragraph 51 of the federal complaint:
GoodRx created four Custom Audiences of users who had filled prescriptions for Lisinopril, Azithromycin, Atorvastatin, or Prednisone, named “lisinopril claims,” “atorvastatin claims,” “azith claims,” and “pred claims.” Uploaded email addresses, phone numbers, and mobile advertising IDs. Targeted these users with advertisements featuring the purchased prescriptions.
GoodRx targeted users who had visited drug pages for Losartan, Amlodipine, Zolpidem, Topiramate, and Quetiapine.
HeyDoctor targeted users who had visited Treatment Pages relating to: “Acne,” “Birth Control,” “Blood Type,” “Cold Sore,” “Eyelash,” “Female condom,” “Hair Loss,” “Hepatitis C,” “HIV,” “Metabolism,” “Pre Diabetes,” “Pregnancy,” “Smoking,” “Sinus,” “TB,” “UTI,” and “Vitamin D.”
GoodRx targeted users who had visited HeyDoctor’s STD testing Treatment Page. Advertisements promoted HeyDoctor’s STD testing services.
GoodRx targeted users who had viewed coupons for Lipitor, Lisinopril, Neurontin, Prednisone, and Zithromax. Advertisements featured these prescriptions.
GoodRx targeted users who had viewed HeyDoctor’s Treatment Page for erectile dysfunction. Advertisements promoted obtaining prescriptions for erectile dysfunction through HeyDoctor.
GoodRx targeted users who had viewed coupons for Cialis or Sildenafil. Advertisements promoted HeyDoctor’s services.
GoodRx targeted users who had viewed a coupon for birth control medication. Advertisements promoted HeyDoctor’s services.
GoodRx targeted users who had accessed a coupon for Cialis or Sildenafil. Advertisements promoted GoodRx Coupons for Viagra.
β Federal Complaint, Paragraph 81, Case No. 23-cv-460
By The Numbers: GoodRx’s Data Exposure Timeline
Societal Impact Mapping: What This Does to the Rest of Us
Environmental Degradation
The GoodRx case does not fit the conventional definition of environmental damage β there are no smokestacks or oil spills in this story. But the environmental dimensions of the surveillance economy that GoodRx participated in are real and deserve naming. The infrastructure that makes mass health data surveillance possible requires vast server farms, data centers, and energy-intensive computing operations maintained by companies like Facebook and Google. Every tracking pixel, every SDK, every Custom Event data packet that GoodRx transmitted to those platforms was processed and stored within a digital industrial complex that consumes enormous quantities of electricity and water for cooling. The environmental cost of the advertising technology industry is borne disproportionately by communities located near those data centers, often lower-income and majority-Black and brown communities, who live with the local pollution, noise, and infrastructure strain while the profits flow elsewhere.
There is also a systemic environmental dimension in the erosion of trust that follows health data scandals. When people learn that their prescription data has been weaponized against them by a company that was supposed to help them access healthcare, many stop using digital health tools entirely. This pushes vulnerable populations back into less efficient, more resource-intensive healthcare pathways. The destruction of trust in digital health infrastructure is not simply an emotional or consumer concern. It degrades the possibility of building more efficient, equitable, and sustainable public health systems that rely on trustworthy data stewardship. GoodRx’s actions were not a contained incident. They were a corrosive act against the foundation of digital health infrastructure that everyone depends on.
Public Health
The public health implications of GoodRx’s conduct extend far beyond the individuals directly affected. The complaint establishes that GoodRx’s user base includes 55.4 million people who have used its platform since January 2017. These users represent a cross-section of Americans managing chronic illness, mental health conditions, HIV, reproductive health, addiction, and a range of other conditions that already carry significant stigma. The unauthorized disclosure of their prescription and health-seeking behavior to advertising platforms created real risks of material harm: loss of insurance coverage, loss of employment, loss of housing, discrimination. Each of those outcomes removes a person further from the stability that supports health maintenance. People who lose jobs lose health insurance. People who lose housing lose access to consistent pharmacy access and medical care. GoodRx’s data practices created a pipeline from health information to potential economic ruin for some of the most vulnerable people in its user base.
The complaint also points to a chilling effect that will ripple through public health for years. The categories of health information exposed by GoodRx include substance addiction, sexual and reproductive health, mental health conditions, and HIV status. These are exactly the categories of health information that carry the highest stigma and the highest risk of discrimination. When people learn that seeking help for addiction, or testing for HIV, or asking about birth control through a digital platform means that information goes to Facebook, they stop using those platforms. They delay care. They avoid testing. The FTC’s own complaint acknowledges that disclosure of this information “may also affect their ability to obtain or retain employment, housing, health insurance, disability insurance, or other services.” A population that faces those threats does not seek care openly. GoodRx did not just betray its current users. It made every future health-seeking interaction with digital platforms more fraught for everyone who heard about this scandal.
The fake HIPAA seal on HeyDoctor’s telehealth platform deserves specific attention in the context of public health. Telehealth was expanding rapidly as
There is a press release on the FTC’s website about this from early 2023 if you’re interested in checking it out: https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising
Explore by category
Product Safety Violations
When companies sell dangerous goods, consumers pay the price.
View Cases →Financial Fraud & Corruption
Lies, scams, and executive impunity that distort markets.
View Cases →Related posts:
Apple and Goldman Sachs’ $89 Million Broken Promise to Customers
How Marriottβs oversight lapses and deregulation fueled one of the largest data scandals in hotel history.
Fitzgerald Auto Malls Data Breach: Customers Exposed, But Fitzgerald Delayed The Alert
New England Patriots just got sued for allegedly spying on its fans.
