The Federal Trade Commission has issued a $1.5 million fine against online pharmacy and telehealth provider GoodRx for allegedly sharing the private health data of its customers with Google, Facebook, and other third parties without consent. GoodRx has additionally agreed to an unprecedented provision that will ban the company from further sharing consumer health data with third parties for advertising. The FTC’s complaint comes after investigations by Consumer Reports and Gizmodo first discovered in 2020 that GoodRx was nonconsensually sharing the private health information of its customers with more than 20 companies.

In a complaint filed by the Department of Justice on Wednesday, the FTC accuses GoodRx of violating its own privacy promises and the FTC’s Health Breach Notification Rule by failing to notify those using its services that their private health information, such as their medical conditions and prescription medications, was being disclosed to advertising companies and third-party platforms.

The complaint alleges GoodRx shared consumer health data with Facebook, Google, Criteo, Branch, and Twilio since at least 2017, despite promising users that their information would never be disclosed to advertisers or other third parties. This information was allegedly used to target GoodRx’s users with personalized advertisements specific to their medications and health on Facebook and Instagram. The complaint also claims that the online pharmacy falsely misrepresented its HIPAA compliance.

GoodRx did not admit any wrongdoing in its statement responding to the FTC, claiming that it agreed to the settlement to “avoid the time and expense of protracted litigation.”

“We had used vendor technologies to advertise in a way that we believe was compliant with all applicable regulations and that remains common practice among many health, consumer and government websites,” said GoodRx. The online pharmacy also claims that the settlement focuses on “an old issue that was proactively addressed almost three years ago,” prior to the FTC’s inquiry. However, Gizmodo says The Markup’s Backlight tool shows that GoodRx.com continued to share consumer information with advertising companies and has since added new advertising partners since the original investigation in 2020.

The FTC’s order is still subject to approval by the federal court, but should it pass, it could have a profound effect on the legality of advertising practices within the health and medical industry.

“Health apps and websites have been giving away our personal data for years without consequence,” said Justin Brookman, director of technology policy at Consumer Reports (via The Independent). “This case should be a turning point — now companies have to understand that sharing customer data without clear permission will lead to investigations and fines.”

The practice of sharing consumer data with third parties without consent is fairly common across health apps and services. However, this case marks the first time since it was introduced back in 2009 that the FTC has sought to enforce its Health Breach Notification Rule, which mandates that companies inform consumers regarding unauthorized access to their personal health records. The FTC has previously said that the Health Breach Notification Rule could also be applied to consumer tech that isn’t covered by HIPAA — such as fitness trackers and health or diet apps.

“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC is serving notice that it will use all of its legal authority to protect American consumers’ sensitive data from misuse and illegal exploitation.”