Lesley Carhart 
Remember that time I joked on twitter about GoodRx bring a privacy nightmare and one of their people went off on me? Lol … https://triangletoot.party/@jhv/109791178748594439
Joe V. (@[email protected])

IMO, GoodRX already tanked & doesn't work. Maybe this will hasten their demise. https://gizmodo.com/ftc-fines-goodrx-prescription-data-facebook-google-1850059096 #drugs #GoodRX #health #medicine #digitalPrivacy "FTC Fines GoodRx $1.5M for Sending Your Medication Data to Facebook and Google for Ads"

Triangle Toot Party!
Feb 1, 2023 at 7:56pmWeb
Show threadLesley Carhart Feb 1, 2023
Anyway I remember and I’m still effing salty and also correct
Show threadLesley Carhart Feb 1, 2023
https://twitter.com/hacks4pancakes/status/1384438809950146562?s=20&t=kipJcc6FztB_Qqc0eX3u0g
Lesley Carhart on Twitter

“Trying to explain GoodRx to friends in practically any other country... “It makes medication affordable, why?” “Well because drug prices are almost entirely unregulated here” “But how do they make money” “By advertising pharmacies to you in a phone app that collects ad data...””

Twitter
Show threadLesley Carhart Feb 1, 2023
I keep receipts of this shit and it’s why I live alone and drink.
Show threadscribandotcomFeb 1, 2023
@hacks4pancakes Well, Dry January's over, so we'll be toasting this one together (but apart). Cheers.
Show threadJoseph SimkoFeb 1, 2023

@hacks4pancakes

Is it also why you train with martial arts weapons?

Show threadSteve Gibson Feb 1, 2023
@hacks4pancakes
Mmmm that’s a nice tasty morsel of schadenfreude
Show threadCameronFeb 1, 2023
@hacks4pancakes I don't doubt you at all, but am I alone in not knowing they even HAD an app? Any time I've needed to use GoodRX, my pharmacist has always just grabbed one from their... display... thing... and used that. Are they secretly just an advertising company? I assumed they were just applying manufacturer/bulk coupons or some such.
Show threadSindarina, Edge Case DetectiveFeb 1, 2023
@hacks4pancakes What else would you use practically unlimited cloud storage for except to keep (properly encrypted, if warrented) receipts? 🤔
Show threadKevin Thomas ✅Feb 1, 2023
@hacks4pancakes drinking is good it frees the spirits
Show threadWalker Boh🛡Feb 1, 2023
@hacks4pancakes before I came to America, "health insurance" and "copay" were terms I'd never heard in my life up to that point...
Show threadDaveFeb 1, 2023

@hacks4pancakes Trying to explain medication to Americans, the absolute does not compute of "It costs $12, not $50 and costs $3 if you don't have a job?"
"Yes, btw, I'm ok with paying more. I have a job, $12 isn't going to kill me."

....

Show threadLesley Carhart Feb 1, 2023
@davedave this but I wish $50, more like $500…
Show threadJohn PanzerFeb 1, 2023
@hacks4pancakes JFC. And now they’re still doing it but what, are they changing their privacy policy nobody reads to satisfy lawyers?
Show threadGaryFeb 1, 2023
@hacks4pancakes Yet another instance of "If it's free to you, then you aren't the customer. You're the product."
Show threadThat Anonymous CowardFeb 1, 2023

@hacks4pancakes

I had a phone drone get rather snippy at me because I didn't want to be part of a data sharing program that they had enrolled me in out of the blue.

Tried to sell me on all the benefits for me & did not like my reply of no I don't want it, I'm angry you autoenrolled me, and fsck this plan.

Show threadsmartwatermelon Feb 2, 2023

@hacks4pancakes

I̶v̶a̶n̶o̶v̶a̶ Lesley is always right

Show threadEvaFeb 1, 2023
@hacks4pancakes I am enjoying the FTC's villain era very much.
Show threadTHMFeb 1, 2023

@hacks4pancakes I always felt they were on the data market. Not surprised.

Sadly, they were the only way to get two of my blood pressure scripts affordably.

I do have insurance now, so I *should* be able to switch over them, still. Grr Argh.

Show threadLesley Carhart Feb 1, 2023
@THM_T17 we all depend on them and that’s why I was bitterly snarking
Show threadTHMFeb 1, 2023

@hacks4pancakes I've started assuming everything is on the data market these days, my fridge, AI Assistants, Phone, Apps, cameras, anything with an internet connection, even the router, and switches get side eye from me at this point.

I have this extension for FireFox that is a Facebook container. It always puts a little fence on everything FB collects data from.

Still, I rarely see anyone doing *good* advertising with it. LOL

Show threadideaPDishFeb 1, 2023
@hacks4pancakes
Hrrm. How does this work in the context or HIPAA?
Whenever i read a waiver that is thicker than a clickthrough, mandatory for treatment, and i see that i have to agree or ack to the provider sharing with 3rd party business partners, it gives me the willies. I seem to remember that HIPAA was originally about protecting patient’s and not weaponizing providers. Am i missing something?0
Show threadJason GasselFeb 1, 2023
@ipd HIPAA only protects health data in the context of a healthcare provider or their business partners, it’s not a general purpose privacy law. Basically any other entity that gets your data from a source that’s not a medical provider is not covered. In the case of GoodRx, the individual provides their prescription info on their own with no medical provider are involved so no HIPAA.
Show threadideaPDishFeb 1, 2023
@jpeg
Business partner..
That means that covered entities do business with. right? Anyone from the janatorial servied they hire to the vending machine fillers?
It's a bogus moth ridden security blanket
Show threadJason GasselFeb 1, 2023

@ipd To clarify: “business partner” here requires a specific HIPAA-compliant contractual relationship, not just anyone the healthcare provider happens to do business with. An example would be a medical record software company. Janatorial service getting access to medical records would be a HIPAA violation unless they do HIPAA-compliant paper records destruction or something.

The big issue is when there’s no healthcare provider involved. If you type your data into an app (not associated with your healthcare provider) or Google guesses your condition based on web searches, then there are no HIPAA protections governing what they do with that.

Show threadideaPDishFeb 1, 2023

@jpeg
If there is no requirement for third party enumeration, it's ambiguous, and therefore loaded with loopholes.

Do you have case law that shows that HIPAA is enforceable or enforced? Or where there have been fines because of violations?

"Personally Identifiable" and anonymized is another meaningless red herring. You know in infosec that given a few points of data that it's a sham.

Unless your job is to be the expert in the room when something's being discussed, so that the Powers that Be can say that they consulted an expert.

Show threadJason GasselFeb 2, 2023

@ipd I used to work for a healthcare software company that has to comply with HIPAA, it is definitely enforced. They issue numerous fines every year, the ones for data breaches can get quite big given they fine per record.

Not sure how complete this list is: https://www.hipaajournal.com/hipaa-violation-fines/

HIPAA Violation Fines - Updated for 2023

HIPAA violation fines can be issued by the Department of Health and Human Service’ Office for Civil Rights (OCR) and state attorneys general. View a comprehensive list of the HIPAA covered entities and business associates that have been fined by regulators for potential HIPAA compliance failures.

HIPAA Journal
Show threadideaPDishFeb 2, 2023

@jpeg
Considering the scope and volume of the medical industry and associated entities, 22 violations in '22, 14 in '21, and 19 in '20, and the payouts, and considering the economics of the industry, it's shameful, how it's been enforced. Less than the price of doing business.

If you consider the price of ransomware, ddos and hacking, well, what we're talking about is a joke.

If experian, and the banks have reported compromise, I'm hard pressed to believe that the medical is that much better.

Show threadideaPDishFeb 1, 2023

@jpeg
As I recall HIPAA was the result of AIDS and HIV+ patients being injured, disenfranchised by the lack of their medical privacy when those were death sentences.

People lost their cars and ins coverage, families and loved ones because of fear and prejudice.

It was ultimately passed as a portability law. yucch

Show threadJohn Philip BellFeb 1, 2023

@hacks4pancakes
I am really (impressed/shocked/dismayed) by how people in the US seem blasé re privacy...

I grew up in the US, lived over 10yrs in Ireland: while back living and working in the US, the company I worked for was coming to grips with the impending GDPR, the strange conversation I went through, like, "no, you can't just contract it away..." (Co. ultimately embraced the principles)

Many in US so used to 'sign away your rights' in contracts.

So glad I'm back living in GDPR land.

Show threadocdtrekkieFeb 1, 2023
@hacks4pancakes Always deeply satisfying when "I was right" becomes headline news.
Show threadHTTP 1.1/418 Old Teapot Typewriter FontFeb 1, 2023
@hacks4pancakes It’s good to be right. And vengeful.
Show threadJoe Beehammer (🐝 🔨)Feb 1, 2023
@hacks4pancakes I always figured there was something to them. Gotta make that money up somewhere. I hate everything related to our medical system.