Why GoodRx is emailing customers about sharing their health information

Originally Published: 02 MAR 23 10:06 ET

By Jennifer Korn

(CNN) -- GoodRx customers who typically receive emails about prescription drug deals and refill reminders from the company saw something very different in their inboxes this week.

CNN Video

Adderall shortage hits home for this Utah family

CNN senior medical correspondent Elizabeth Cohen meets a Utah family and their daughter struggling to fill her A.D.H.D. prescription during a national shortage. Source: CNN

GoodRX sent a notice to users detailing allegations from the Federal Trade Commission that the company shared sensitive health data with third parties for advertising purposes without customers' permission.

"This information included details about drug and health conditions people searched and their prescription medications," the company wrote in the notice e-mailed to customers and posted on its website. "We shared this information with third parties, including Facebook. In some cases, GoodRx used the information to target people with health-related ads."

The alert comes a month after the FTC announced a formal settlement with the digital health platform and issued a "first-of-its-kind proposed order" prohibiting the company from sharing health data from its customers with other companies for advertising.

GoodRx has previously denied wrongdoing. "We do not agree with the FTC's allegations and we admit no wrongdoing," the company wrote in February. "Entering into the settlement allows us to avoid the time and expense of protracted litigation."

GoodRX, accessible online and via a mobile app, offers telehealth visits and prescription drug coupons to users, but the FTC alleges its privacy practices have been "not so good."

The company said the timing of this week's communication was specified in the FTC settlement.

Still, the notice appeared to catch some customers off guard. Users took to social media to voice concern about the e-mail, with some wondering how much money the firm might have made from their health data and others swearing off using the service.

In addition to paying a $1.5 million civil penalty, the company has agreed to an order mandating other steps, including demanding third parties delete consumer health data and creating a "comprehensive privacy program."