HealthEngine fined for sharing patient data without consent and skewing its reviews

Federal Court orders the company pay AU$2.9 million in penalties.

HealthEngine Pty Ltd has been ordered by the Federal Court to pay AU$2.9 million in penalties, following allegations it shared patient information and skewed its reviews.

The Federal Court found the Perth-based company engaged in misleading conduct in relation to the sharing of patient personal information with private health insurance brokers and publishing misleading patient reviews and ratings. 

HealthEngine provides a booking system for patients and an online health care directory that lists over 70,000 health practices and practitioners in Australia. The directory allows patients to search for and book appointments with health practitioners.

The company, which describes itself as Australia's largest online health marketplace, admitted that between 30 April 2014 and 30 June 2018 it gave non-clinical personal information such as names, dates of birth, phone numbers, and email addresses of over 135,000 patients to third party private health insurance brokers without providing adequate disclosure to consumers.

Such arrangements with private health insurance brokers saw HealthEngine pocket over AU$1.8 million.

In addition to the near AU$3 million fine, HealthEngine was also ordered to contact affected consumers and provide details of how they could "regain control of their personal information".

See also: Australian privacy law amendments to cover data collection and use by digital platforms

"These penalties and other orders should serve as an important reminder to all businesses that if they are not upfront with how they will use consumers' data, they risk breaching the Australian Consumer Law," Australian Competition and Consumer Commission (ACCC) chair Rod Sims said on Thursday

"The ACCC is very concerned about the potential for consumer harm from the use or misuse of consumer data."

In response, HealthEngine said personal, not clinical, information was provided to private health insurance comparison services when consumers specifically requested a call regarding a health insurance comparison. 

"We did not make it sufficiently clear on the booking form that a third party, not HealthEngine, would be contacting them regarding the comparison and that we would be passing on consumer details for that to occur," the company said. "This was an error and HealthEngine apologises for it."  

The ACCC began investigating HealthEngine in July 2018 and launched legal proceedings in August 2019, alleging the company was sharing consumer information with insurance brokers.

In June 2018, it was reported that HealthEngine shared personal information with law firm Slater and Gordon, who was seeking clients for personal injury claims. It is believed the "referral partnership pilot" saw the startup, on average, give the law firm details of 200 clients a month between March and August 2017.

According to the ABC, 40 HealthEngine users became Slater and Gordon clients. HealthEngine said the ACCC took no action with respect to that activity.

The reports of the ill use of customer data followed claims that HealthEngine was skewing its own reviews.

In mid-2018, it was reported that 53% of the 47,900 "positive" patient reviews on HealthEngine had been edited in some way, with many flipped to appear as positive customer feedback.

"Negative feedback is not published but rather passed on confidentially and directly to the clinic completely unmoderated to help health practices improve moving forward," HealthEngine CEO and founder Dr Marcus Tan said in a statement the company issued at the time.

"We email all patients about their reviews being published and alert them to having possibly been moderated according to our guidelines."

The ACCC on Thursday said HealthEngine admitted that, between 31 March 2015 and 1 March 2018, it did not publish around 17,000 reviews and edited around 3,000 reviews to either remove negative aspects or embellish them.

HealthEngine also admitted that it misrepresented to consumers the reasons why it did not publish a rating for some health or medical practices.

"The ACCC was particularly concerned about HealthEngine's misleading conduct in connection with reviews it published, because patients may have visited medical practices based on manipulated reviews that did not accurately reflect other patients' experiences," Sims said.

The review feature was pulled in June 2018.

"When the ACCC commenced proceedings against HealthEngine nearly a year ago, we acknowledged that our rapid early growth had sometimes outpaced our systems and processes and we sincerely apologised that we had not always met the high expectations of the community and our customers," Tan said on Thursday. 

"That apology still stands.

"Good intentions do not excuse poor execution and this process has given us a greater understanding of our operational shortcomings, which we've addressed."

He claimed that HealthEngine never has, and never will, sell user databases to third parties. 

"Further, the only time we provide clinical information to third parties is to a consumer's nominated healthcare provider to deliver the healthcare services requested by that consumer," Tan said.

HealthEngine added it was confident that no adverse health outcomes were created by these issues and no clinical data has been shared with any private health insurance comparison service.

HealthEngine admitted liability and made joint submissions with the ACCC to the Federal Court. The company will also pay a contribution to the ACCC's legal costs, the watchdog said.

Updated Thursday 20 August 2020 at 2:40pm AEST: Added comments from HealthEngine.

LATEST FROM THE CONSUMER WATCHDOG