Governance & Risk Management , Privacy , Standards, Regulations & Compliance

Australian Online Health Platform Fined for Data Practices

HealthEngine Improperly Disclosed Personal Details, Tampered With Reviews
Australian Online Health Platform Fined for Data Practices
HealthEngine CEO Marcus Tan (Source: HealthEngine)

Australia’s federal court fined HealthEngine, an online platform for booking medical appointments, 2.9 million Australian dollars ($2.1 million) on Thursday for improperly sharing personal data and altering online reviews.

See Also: EU-US Data Privacy Framework: Your Questions Answered

HealthEngine admits liability, according to the Australian Competition and Consumer Commission, the government’s consumer and fair trading watchdog. The ACCC took HealthEngine to court last year.

In response to the court’s decision, HealthEngine’s co-founder and CEO, Marcus Tan says that “good intentions do not excuse poor execution.”

“When the ACCC commenced proceedings against HealthEngine nearly a year ago, we acknowledged that our rapid early growth had sometimes outpaced our systems and processes, and we sincerely apologized that we had not always met the high expectations of the community and our customers,” Tan says in a statement. “That apology still stands.”

Data Sharing

HealthEngine was launched in 2006 in Perth, Australia. Its platform facilitates booking medical appointments, earning fees from healthcare providers that subscribe to its lead-generation services.

The platform is free for patients, and it has attracted a large number of users. HealthEngine says it has made more than 30 million patient bookings. But as with many online companies whose revenue depends on the cultivation of personal data, HealthEngine found itself in trouble in 2018.

An investigation by the national broadcaster, the ABC, found HealthEngine had supplied private medical information of its users to law firms specializing in personal injury cases (see: Australia's HealthEngine Caught in Data-Sharing Fiasco)

That pilot program passed the details of an average of 200 potential clients a month from HealthEngine to the law firm Slater and Gordon over a five-month period, the ABC reported. HealthEngine maintained that it had consent to pass along the data, but the ABC reported that users didn’t have a way to opt out.

That led to a broader examination of HealthEngine’s data sharing and other practices. Information Security Media Group found, for example, that the company was soliciting dental patients for copies of their invoices in exchange for gift vouchers. Privacy experts said the practice was probably legal, but it rode a fine line (see: HealthEngine Offered $25 Gift Vouchers for Dental Invoices).

According to the ACCC, HealthEngine disclosed personal details for 135,000 patients between 2014 and 2018 to third-party private health insurance brokers. The data included names, birth dates, phone numbers and email addresses, but not clinical information. The ACCC contended HealthEngine transferred the data without adequately notifying consumers and said the company made $1.8 million from the sale of the data.

In a statement on Thursday, HealthEngine acknowledged it wasn’t made clear to consumers that third parties would be contacting them about other services rather than HealthEngine. “This was an error and HealthEngine apologizes for it,” it says.

Annual Compliance Audits

HealthEngine also acknowledged that between 2015 and 2018, its staff had edited about 3,000 online reviews of medical practices to “remove negative aspects or to embellish them,” the ACCC says. It also withheld 17,000 reviews from its reviews section, which it calls the Practice Recognition System.

“HealthEngine also admitted that it misrepresented to consumers the reasons why it did not publish a rating for some health or medical practices,” the ACCC says.

This is an example of how HealthEngine doctored an online review. (Source: ACCC)

The court also ordered HealthEngine to contact the affected consumers and provide them with details on how they can control their personal information, the ACCC says. It must also commission an audit showing its compliance with Australian Consumer Law each year over the next three years.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.