HealthEngine caught sharing medical data with compensation lawyers: Report
HealthEngine Promise statement
The healthcare appointment booking company that earlier this month came under fire for skewing its reviews has reportedly been sharing user medical information, with law firms using the information for targeting advertising.
As reported by the ABC, Perth-based HealthEngine was reportedly sharing personal information with law firm Slater and Gordon, who was seeking clients for personal injury claims. It is believed the "referral partnership pilot" saw the startup give the law firm details on an average of 200 clients a month between March and August 2017.
According to the ABC, 40 HealthEngine users became Slater and Gordon clients.
As part of its booking service, the startup, funded by Telstra and Seven West Media, requires users to input details of their medical conditions, including whether they have suffered a workplace injury or been in a traffic accident.
This information is then shared with a third party, as detailed briefly in the agreement fine print.
"Our Promise: Your privacy is important to us. HealthEngine will not provide your personal information to a third party without your express consent except as required or permitted by law, or in those circumstances described in our privacy policy," the company says on its website home page.
"Consent to these referrals is not hidden in our policies but obtained through a simple pop-up form during the booking process or provided verbally to a HealthEngine consultant," HealthEngine stated on Twitter.
"Users are able to continue to use our booking services even if they do not provide their express consent to being contacted by a referral partner through the pop-up form.
"We do not provide any personal information for the purposes of a referral without this consent."
In its privacy policy, HealthEngine says it collects information such as name, date of birth, address, email address, phone number, gender, GPS location, marital status, occupation, cultural background, allergies, advance health directive, type of appointment booked, reason for booking, private health insurance fund and membership number, Medicare information, and user's photograph. HealthEngine does not allow users to opt-out of having their information shared with third parties.
The policy also states HealthEngine may collect information from third parties, such as family members, legal guardian, or authorised representative; health professionals and their practices, often via their practice management software systems; doctors; and pharmacists.
It also admits social media profiles are trawled for information.
"HealthEngine may also disclose your personal information to other persons, such as third-party service providers (such as IT and software service providers, providers of research services, and our professional advisers such as lawyers and auditors), but only for the purpose of providing goods or services to us," the privacy policy says.
"Some of these software services allow us to advise you of certain services and benefits available to you. We require our third-party service providers to agree to appropriate privacy restrictions, and only permit them to access personal information to the extent needed to provide goods or services to us; and other persons notified to you at the time we collect your personal information, who you give your consent to, or to whom we are authorised or required by law to make such disclosure."
HealthEngine admits it may also disclose de-identified information of its users to third parties for "analysis, research, and quality assurance purposes".
"Some third-party service providers used by HealthEngine may store your personal information on servers located overseas; however, they must also meet our requirements for privacy and data security," the company wrote.
It was also reported this month that 53 percent of the 47,900 "positive" patient reviews on HealthEngine had been edited in some way, with many flipped to appear as positive customer feedback.
"Negative feedback is not published but rather passed on confidentially and directly to the clinic completely unmoderated to help health practices improve moving forward," HealthEngine CEO and founder Dr Marcus Tan said in a statement.
"We email all patients about their reviews being published and alert them to having possibly been moderated according to our guidelines."
Tan continued by saying patients have on occasion requested the non-publishing of moderated feedback and that his company "happily" complies.
"We have not intended to moderate any reviews to mislead readers, and over the last three years, have received very few complaints about the way we have moderated the comments, including from the patients who submitted them," he said.
"User trust is paramount to us at HealthEngine and we are conducting an internal and external review of the HealthEngine Practice Recognition System to ensure clarity, compliance, and best practice regarding the way in which we review and publish patient comments."
RELATED COVERAGE
Health holds crown as the most breached sector in Australia
The Office of the Australian Information Commissioner has received 63 data breach notifications in first six weeks of the scheme's operation.
The Australian government's My Health Record data use guidelines require the data governance board to make case-by-case decisions on how the data can be used.
Australian Department of Health using blockchain for medical research records
Australian secure cloud provider Vault Systems and blockchain startup Agile Digital have combined forces to provide the department with an immutable record for tracking health data research.
Privacy Foundation: Trusting government with open data a 'recipe for pain'
The Australian Privacy Foundation wants the government to develop security controls around sharing open data and provide the agency charged with investigating data misuse with 'adequate' resources.
Australia's open data approach lands in a security and privacy minefield (TechRepublic)
Australia is charging headlong into a privacy disaster as government open data initiatives come online without considering how to properly implement privacy safeguards and data anonymity.