Governance & Risk Management , Privacy , Standards, Regulations & Compliance

Medical Booking Firm Could Face Penalties for Selling Data

Australian Regulator Alleges HealthEngine Misled Consumers
Medical Booking Firm Could Face Penalties for Selling Data
HealthEngine Founder and CEO Marcus Tan

Australia’s fair trading regulator says it’s seeking penalties against HealthEngine, an online platform for booking medical appointments, for allegedly selling patient details to private health insurance brokers without disclosure and embellishing patient reviews of healthcare providers.

See Also: The Ultimate PIA and DPIA Handbook for Privacy Professionals

The Australian Competition and Consumer Commission says HealthEngine engaged in “misleading and deceptive conduct.” The agency is going to court to seek penalties against HealthEngine as well as a review of the company’s compliance program and an order to notify consumers whose personal details were shared.

The ACCC’s court filing

The ACCC’s action comes about a year after media reports detailed the alleged tampering with reviews and the sharing of personal details at HealthEngine. Information Security Media Group also uncovered that HealthEngine was soliciting dental patients and paying them to share their invoices, which experts said may have contravened Australian privacy law (see: HealthEngine Offered $25 Gift Vouchers for Dental Invoices).

HealthEngine’s CEO, Marcus Tan, says in a statement that the company “either discontinued or significantly overhauled the services in question over a year ago. These changes were made before HealthEngine was formally advised of any ACCC investigation.”

Tan acknowledges missteps but maintains the company had gained consent to share contact details.

“HealthEngine recognizes that our rapid growth over the years has sometimes outpaced our systems and processes, and we sincerely apologize if that has meant we have not always met the high expectations of us,” Tan says. “HealthEngine is confident that no adverse health outcomes were created and that personal information was not shared with referral partners unless the individual had expressly requested to be contacted.”

Improper Data Sharing

The HealthEngine booking platform is available for free to patients throughout Australia. Clinics that sign up for HealthEngine pay the platform a fee for new patients and for specialized listings. An average of 1 million people per month use the platform, the ACCC says.

The company, however, is more like a data broker and marketing platform. The ABC reported in June 2018 that HealthEngine was sharing private medical data with a law firm specializing in personal injury. The company maintained it had users’ consent to do this. But the ABC reported there appeared to be no way to opt out of it.

"HealthEngine recognizes that our rapid growth over the years has sometimes outpaced our systems and processes, and we sincerely apologize if that has meant we have not always met the high expectations of us."
—Marcus Tan, HealthEngine

The ACCC alleges HealthEngine shared data with private health insurance brokers without proper disclosure between April 2014 and June 2018. The company had nine agreements with private health insurance brokers to share referrals, it says. The practice is often referred to as lead generation.

The data shared included names, phone numbers, email addresses, birth dates or birth years, appointment times, types of healthcare bookings and if individuals carried private health insurance, the ACCC alleges.

The agency alleges that HealthEngine’s disclosures to consumers gave the impression that it would be the provider of health insurance-related services. It did not adequately disclose that personal information would be sent to insurance brokers and that it would be paid to do so, the ACCC alleges.

HealthEngine shared personal details for 135,000 individuals, the court filing states, although the total payment it received is redacted.

“HealthEngine deprived patients of the opportunity to control the transfer of their personal information to insurance brokers,” the ACCC alleges. “Patients were not informed of the arrangements HealthEngine had with the insurance brokers, and therefore unable to make an informed choice regarding the use of their personal information in this way.”

The agency says it is seeking an order “that would require HealthEngine to contact affected consumers and provide details of how they can regain control of their personal information.”

The ACCC is not the only organization to examine HealthEngine’s practices. The Office of the Australian Information Commissioner, which enforces the country's Privacy Act, also made inquiries after the controversies last year.

Tampered Reviews

Fairfax Media reported in June 2018 that HealthEngine appeared to be tampering with patient reviews in order to impart a more positive spin.

In the ACCC’s court filing, the agency contends HealthEngine edited reviews with negative comments and chose not to publish some. The practice is alleged to have occurred between March 2015 and March 2018.

The ACCC alleges HealthEngine edited or embellished patient reviews of clinics.

HealthEngine did not inform the public about how it handled reviews, the ACCC alleges. The agency found that of 128,000 patient reviews, Health Engine only published 50,000.

The company discarded 17,000 reviews where a patient selected “no” to a question about whether they would recommend a practice to others, according to the court filing. The effect meant consumers had more favorable views of healthcare providers.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.