(Reuters) — Healthcare company GoodRx Holdings has agreed to pay $1.5 million to settle allegations that it failed to notify customers that it shared personal health information with Alphabet’s Google, Meta’s Facebook and others, the Federal Trade Commission said on Wednesday.
Under the terms of the settlement, GoodRx will be barred from sharing user health data with other companies to use for advertising.
“Digital health companies and mobile apps should not monetize consumers’ extremely sensitive and personally identifiable health information,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement.
GoodRx, which had more than 55 million people using its website or app in the past six years, is a platform that offers drug discounts while collecting health information from users and their pharmacy managers.
GoodRx promised users it would never share health information with advertisers but provided information to Google, Facebook, Criteo and others, the agency said in its complaint.
GoodRx said in a statement that the issue in the settlement was resolved three years ago before the agency began its investigation.
“We disagree with the FTC̵7;s allegations and we admit no wrongdoing. By entering into the settlement, we avoid the time and expense of protracted litigation,” the company said in a statement.
The settlement is the first under the FTC’s health breach notification rule, the agency said.
Under the settlement, the company is also required to set limits on how long it retains personal and health information, and to publicly publish the retention schedule, the agency said.