With theabysmal body politic of health care in this land , it should n’t be surprising that tech society — specifically those in the app space — have swooped in left and correct tosolve the ill that the Union governance ca n’t or wo n’t . desire to supervise your blood pressure?There ’s an app for that . Mental health get you down?There are apps for that , too . And of course , there are apps to ease of the multimillion - dollar mark headache plaguing the rural area at big : health insurance . And none is more pop than GoodRX . It’sranked at the top of the Apple App Store , hasmore than 450,000 five star military rank , and is — for roughly10 million users per calendar month , per the company ’s own metrics — the tonality to getting the prescriptions you demand at prices you may give .
Hell , before becoming gainfully employed , I used this app to shave off hundreds from my prescription for the psychiatrical drugs I need to function , 24-hour interval in and twenty-four hour period out . What I did n’t realize at the time is that every prescription refill come with more than a few strings bind .
BecauseI cover the app space thoroughly , I ’ve see to be skeptical of everything I download on my phone — but for some reasons , I was still shocked to see , with my own two eyes , multiple ad connection get their hands on my very personal data point — include my specific prescription medicine . As I dig deeply , what became even more shameful was that this was n’t only 100 percent legal , it was 100 percent legal because it exploited very obvious loopholes in governance regulation — and the internet itself .
Illustration: Jim Cooke ( (Gizmodo)
“ Nothing happening here is illegal , it ’s just take reward of the system , ” Hined Rafeh , a PhD campaigner at the Rensselaer Polytechnic Institute researching on medical data regulation , told me . “ We ’re in a arrangement where people are faced with the world that ‘ a doctor say I postulate to take this , I ca n’t afford it , but this company says that they ’ll help me — and it looks like they have everything in their secrecy policy , so it should be okay . ’ ”
It is , in fact , more than okay . In GoodRX ’s own privacy policy , the fellowship begin by thanking users for “ placing your trust ” in the companionship .
“ We understand that your personal information is raw , and also that privacy policies and legalese can be scary , so we want to thank you for trusting GoodRx with your data , ” the insurance read , before going on to res publica :
A sample of some of the data we found being passed back to advertising partners.Screenshot: (Gizmodo)
GoodRx does not sell personal aesculapian information . We do not provide your personally - identifiable medical info to third party in exchange for payment .
First , lease ’s collapse start the idea of “ personally identifiable ” selective information . As I ’ve harness before , the idea of what is and is n’t “ personally identifiable ” from a effectual POV is effectively nonmeaningful . While look over the datum being portion out from GoodRX ’s app , I institute it was being sent to four separate companies : Branch , which tie in users across their unlike gimmick , and Facebook both receive my usage information , like how often I opened or fill up the app . Braze , which help advertisers point people across the internet , and Google Analytics received more trespassing - seeming data , including the name of my pharmacy and my specific prescriptions .
Whether or not this data point is explicitly “ identifiable”—tied to something like my name or home base address — is pretty much moot , since it is being link to my individual equipment . But because these twist identifiers are n’t moot “ identifiable ” even under thestrictest data privacy law in the U.S.—despite the fact that these identifiers can literally be used topinpoint a individual ’s precise position , among other sensitive item — these apps get a detached pass . And that ’s not the only innocent base on balls they get .
Some of the “consumer-facing data” that explicitly mentions prescriptions, dosages, and the name of a specific pharmacy, this time sent through Google Analytics.Screenshot: (Gizmodo)
“ In my research , health data is data that is used or taken by a hospital from a patient role — that data does n’t admit consumers , ” Rafeh explained . “ But when looking at caller like 23andme , for example , they do the same exact tests that a hospital does . But their datum is consumer data . ”
She ’s right-hand . When I contact out to the Food and Drug Administration to get to the bottom of whether the pharma data being sent back and forth between GoodRX and these marketing companies could de jure be considered “ health data ” covered under HIPAA , a spokesperson answer that “ this is really out of the horizon of the FDA , ” and directed me to the Department of Health and Human Services ’ “ Office for Civil Rights . ” There , a 2016 guide for app developers dishevel in the healthcare spacespecifically outlines how apps like GoodRX do n’t have to comply with HIPAA , the federal police that governs health selective information privacy :
Only health plans , wellness care clearinghouses and most wellness care providers are covered entity under HIPAA . If you play for one of these entity , and as part of your job you are creating an app that necessitate the use or revealing of identifiable health information , the entity ( and you , as a member of its workforce ) must protect that information in compliance with the HIPAA Rules .
A sample of the calls we found being made to Braze.Screenshot: (Gizmodo)
As Rafeh explained to me , HIPAA come into being to protect confidentiality between doctor and their patient — not between a secret company and a consumer . As she put it , an app that you ’d apply to communicate directly with a doctor , or straightaway with a hospital , or instantly with an indemnity company would want to precipitate in product line with HIPAA . But an app like GoodRX , which tracks drug prices and gives users coupons for discounted music , can have comparatively free rein over your wellness - interrelate datum since it ’s a secret party — no doctor or hospitals involved .
In the absence of guardrail from the FDA , these app developer are technically required to stomach by the Federal Trade Commission ’s privacy guidelines , whichhaven’t been updated since 2016 . These recommendations , meanwhile , point app developers back tothe FDA ’s guidance surrounding the consequence , while also kick in a spare walk to apps that vacuum-clean information that ’s been reasonably “ de - identified , ” without propose a substantial definition for what that even mean . When I asked about their policies wall health - related apps specifically , the FTC did n’t respond .
“ It ’s this shitty feedback loop where the customers are confused about what health information is , and they ’re incessantly misinformed , and it ’s decidedly designed , ” Rafeh say . “ But at the same sentence , it ’s kind of like , the laws are there . This is n’t a secret . ”
Whether this disarray is “ intentional ” is for certain up for argumentation , but this much is exculpated : There ’s a lot of money depend on on the solution . Over the preceding few twelvemonth , the marketplace for DTC — or direct to consumer — healthcare hasexploded into a multi - trillion dollar sign industrythat ’s catch the attention of the biggest name in tech , withGoogleandFacebook , andAmazondipping their toes into the field of operations in late calendar month . While GoodRX is quiet about its own financials , leaked investor text file point toa roughly $ 3 billion valuation in 2018 — a value that undoubtedly balloons withevery learning the company makes .
“ We strive to go above and beyond both effectual requirements and consumer expectation when it come to protect consumer data point , ” GoodRx told me in a program line . In answer to enquiry both from Gizmodo andConsumer Reports , the troupe alsorolled out a standalone page on their sitedescribing the designation of a new “ VP of Data Privacy ” to “ ordinate between engineering , selling , and other teams to ensure we only share what ’s necessary and always act in our users ’ best interest . ”
Of course , GoodRx is n’t alone — recent numbers point to big pharma turning their attention away from advert in print and on telecasting , and more advertising where most of us drop our time : the net . And while healthcare still takes up a substantially small glob of the digital marketing Proto-Indo European than , say , retail , that act is produce , with recent number place to the industry spending roughly $ 2 billion to reach consumer on their phone alone , agree toresearchfrom eMarketer .
And that ’s ultimately where my data point comes in . While wait at the information being sent from GoodRx to some of the major names in tech — Facebook and Google , along with Braze and Branch , two fellowship specific to the adtech space — most of the information being send out back and forth was moderately basic . Metrics like how often I opened the app , how long I was spend browsing around for unlike prices , and so on .
Tracking my precise prescriptions — which seemed like the juiciest data nugget of all — seemed to be almost like an reconsideration . An incredibly creepy-crawly reconsideration , but an reconsideration notwithstanding .
As GoodRx explained in a statement , “ personal medical information”—including the names of prescription medicine — were never shared with Facebook , “ even in code form . ” When this data was partake in with Google , meanwhile , they accentuate that this intel is “ de - identified , ” stress that the troupe does n’t “ use medical selective information to target advertising on Google . ”
Because of theincredibly unintelligible waydata moves from our phones through the internet and into major advertising platform , those of us concerned about the specific details of digital privateness are often left with the frustrating reality of make companies at their discussion . I can crack open an app with some helpful tools and see that my extremely personal prescription drug datum flowing into these ad pipelines , and I can see multiple company passing off this unencrypted intel , but that ’s it . Even exploit on GoodRx ’s part toallow consumers to withdraw their datafrom this hard currency - grab ecosystem does n’t actually do anything , because ultimately , even opening the app will just start the cycle over again . Perhaps more troubling is the fact that simply downloading GoodRx , whose whole economic value proposition is save its users money , is valuable intel for advertisers who are trying to aim people based on what they can afford . know that I was a consumer on the “ gloomy - income ” side is likely more valuable than knowing that I on a regular basis “ use antidepressant . ”
Andwith healthcare costs on the upgrade with every passing calendar month , it ’s improbable that any of us who use GoodRx already will be delete the app for safe anytime soon .
datum
Daily Newsletter
Get the best tech , science , and culture news program in your inbox daily .
newsworthiness from the future , delivered to your present tense .
Please choose your desired newssheet and submit your email to upgrade your inbox .
You May Also Like
