The healthcare appointment booking company that earlier this month came under fire for skewing its reviews has reportedly been sharing user medical information, with law firms using the information for targeting advertising.
As reported by the ABC, Perth-based HealthEngine was reportedly sharing personal information with law firm Slater and Gordon, who was seeking clients for personal injury claims. It is believed the "referral partnership pilot" saw the startup give the law firm details on an average of 200 clients a month between March and August 2017.
According to the ABC, 40 HealthEngine users became Slater and Gordon clients.
As part of its booking service, the startup, funded by Telstra and Seven West Media, requires users to input details of their medical conditions, including whether they have suffered a workplace injury or been in a traffic accident.
This information is then shared with a third party, as detailed briefly in the agreement fine print.
"Consent to these referrals is not hidden in our policies but obtained through a simple pop-up form during the booking process or provided verbally to a HealthEngine consultant," HealthEngine stated on Twitter.
"Users are able to continue to use our booking services even if they do not provide their express consent to being contacted by a referral partner through the pop-up form.
"We do not provide any personal information for the purposes of a referral without this consent."
The policy also states HealthEngine may collect information from third parties, such as family members, legal guardian, or authorised representative; health professionals and their practices, often via their practice management software systems; doctors; and pharmacists.
It also admits social media profiles are trawled for information.
"Some of these software services allow us to advise you of certain services and benefits available to you. We require our third-party service providers to agree to appropriate privacy restrictions, and only permit them to access personal information to the extent needed to provide goods or services to us; and other persons notified to you at the time we collect your personal information, who you give your consent to, or to whom we are authorised or required by law to make such disclosure."
HealthEngine admits it may also disclose de-identified information of its users to third parties for "analysis, research, and quality assurance purposes".
"Some third-party service providers used by HealthEngine may store your personal information on servers located overseas; however, they must also meet our requirements for privacy and data security," the company wrote.
It was also reported this month that 53 percent of the 47,900 "positive" patient reviews on HealthEngine had been edited in some way, with many flipped to appear as positive customer feedback.
"Negative feedback is not published but rather passed on confidentially and directly to the clinic completely unmoderated to help health practices improve moving forward," HealthEngine CEO and founder Dr Marcus Tan said in a statement.
"We email all patients about their reviews being published and alert them to having possibly been moderated according to our guidelines."
Tan continued by saying patients have on occasion requested the non-publishing of moderated feedback and that his company "happily" complies.
"We have not intended to moderate any reviews to mislead readers, and over the last three years, have received very few complaints about the way we have moderated the comments, including from the patients who submitted them," he said.
"User trust is paramount to us at HealthEngine and we are conducting an internal and external review of the HealthEngine Practice Recognition System to ensure clarity, compliance, and best practice regarding the way in which we review and publish patient comments."
The Office of the Australian Information Commissioner has received 63 data breach notifications in first six weeks of the scheme's operation.
The Australian government's My Health Record data use guidelines require the data governance board to make case-by-case decisions on how the data can be used.
Australian secure cloud provider Vault Systems and blockchain startup Agile Digital have combined forces to provide the department with an immutable record for tracking health data research.
The Australian Privacy Foundation wants the government to develop security controls around sharing open data and provide the agency charged with investigating data misuse with 'adequate' resources.
Australia is charging headlong into a privacy disaster as government open data initiatives come online without considering how to properly implement privacy safeguards and data anonymity.