Several of the company’s business partners received the names of the medications, along with ID numbers and other information that can be used to single out individuals. The data can reveal intimate information that many people would keep private from all but their close friends and family.
As a test, we looked for discounts on Lexapro, an antidepressant; PrEP and Edurant, used to prevent and treat HIV, respectively; Cialis, for erectile dysfunction; Clomid, a medication used in fertility treatments; and Seroquel, an antipsychotic often prescribed to control schizophrenia and bipolar disorder. With the information coming off our test phone and browser, a company could infer highly intimate details about GoodRx users suffering from serious chronic conditions, and make educated guesses about their sexual orientation.
Braze, a marketing firm, received the names of the drugs, the pharmacies where we sought to fill prescriptions, and ID numbers that advertising and analytics companies use to track the behavior of specific consumers across the web.
Like other companies we talked to, Braze assures Consumer Reports that the data collected isn’t shared broadly with data brokers or advertising companies. Braze says the data is only used to help GoodRx target its own users with information.Similarly, a company called Branch says it only uses the data it collects from GoodRx to make sure that links within the mobile app work correctly. GoodRx executives say the company doesn’t sell or share users’ health data with other companies to support targeted advertising.
“When we believe a user is running out of medication, we use Braze to email or text a reminder," says Thomas Goetz, chief of research at GoodRx. "We may also notify users when we are able to find a better price for their prescription,” he says. “To reach new customers who might find GoodRx useful, we place advertisements for GoodRx on third-party platforms, including Facebook and Google, and retarget users who have visited GoodRx to encourage them to come back and use the service.” Both Google and Facebook deny using prescription information for targeting individuals with ads. “We prohibit personalized advertising and advertising profiles based on sensitive information, including a user’s prescriptions,” a Google spokesperson says.
Source: Wall Street Journal testing of the app Other apps found sending Facebook information include; Instant Heart Rate: HR MOnitor, Realtor.com's app, "at least six of the top 15 health and fitness apps" and BetterMe: Weight Loss Workouts" Apple Inc. and Alphabet Inc.’s Google, which operate the two dominant app stores, don’t require apps to disclose all the partners with whom data is shared.
A Facebook spokesperson says, “We don’t want websites sharing people’s personal health information with us—it’s a violation of our policies. After an initial review, we think GoodRx’s use of our business tools requires a deeper investigation, and we’re reaching out to the company.”Our testing of the GoodRx app and website was led by Bill Fitzgerald, a privacy researcher in CR’s Digital Lab. “We observed sensitive information being passed along," he says. "If Facebook doesn’t want this information, and GoodRX doesn’t want to send it, it shouldn’t be happening. The app and site don’t need to be designed this way.”
GoodRx users we reached out to say they are surprised such intimate information was being shared for any purpose.
“I just assumed that there had to be some kind of protection laws or something associated with it because, you know, it’s medical data,” says Cam, a GoodRx user who works as a business analyst in New York. “My instinct was that it was okay, probably because of my past experience with medical information,” Marie of Philadelphia says. “I just assumed, you know, this was my private prescription app."
“It doesn’t feel right,” she says.