Breach Notification , Governance & Risk Management , Incident & Breach Response

HealthEngine's Latest Problem: A Data Breach

Coding Error Exposed Identifying Information In Medical Practice Reviews
HealthEngine's Latest Problem: A Data Breach
HealthEngine founder and CEO Marcus Tan defended his company's marketing practices in a video published on June 27, 2018. (Source: HealthEngine)

Embattled Australian medical appointment booking service HealthEngine says late Friday it has notified 75 users of a data breach that may have exposed some identifying information.

See Also: Improving Security Compliance in The Financial Industry With Data Privacy Regulations

The data breach is the latest in a string of problems for HealthEngine, which has fallen under scrutiny for tampering with patient reviews and for its third-party marketing activities, which underpin its free medical booking service (see Australia's HealthEngine Caught in Data-Sharing Fiasco).

The breach involved HealthEngine's Practice Recognition system, which allows patients to write reviews of practices. It is unclear when the breach occurred.

More than 59,600 patient feedback entries may have been improperly accessed, and 75 of those contained "identifying information," HealthEngine says in a notice on its website.

"We take data security very seriously, and acted swiftly and decisively when we became aware of the breach."

"Due to an error in the way the HealthEngine website operated, hidden patient feedback information within the code of the webpage was improperly accessed, the company says on its website. "The information is ordinarily not visible to users of the site."

The information does not contain usernames or passwords, it says. The company has now removed all patient feedback from its website to ensure no more hidden reviews can be seen.

"We take data security very seriously, and acted swiftly and decisively when we became aware of the breach," HealthEngine says.

The breach has been reported to the Office of the Australian Information Commissioner, which enforces privacy regulations.

Review Tampering, Marketing Questions

In June HealthEngine came under fire for how it manages the Practice Recognition System. Fairfax Media found that more than half of 47,900 positive patient reviews had actually been edited, with the tone change from either tepid or negative reviews.

In a letter, HealthEngine's founder and CEO, Dr. Marcus Tan, acknowledged that some user feedback had been edited in order to comply with regulatory guidelines. But he went on to say that "it appears there were occasions when our editing went beyond what was required under our regulatory obligations."

HealthEngine offers a free medical appointment app for consumers and a booking platform for clinics. Clinics pay when a new patient uses the company's service to make an appointment.

Both of those platforms are central to its marketing activities, which came under scrutiny earlier this week.

Broadcaster ABC found that HealthEngine passed on personal details of patients to law firms specializing in personal injury, a type of marketing activity known as lead generation. Those referrals were made based on information a patient provided during registration, such as if they'd been in a car accident or had been injured at work.

Under a pilot referral program an average of 200 potential clients per month originating with HealthEngine were passed to the law firm Slater and Gordon last year between March and August, ABC reported.

Clear Consent

Under Australian privacy laws, companies can only pass on such personal details if consumers have granted their consent. Companies are supposed to present the conditions for how the data will be collected and used in an open and transparent way.

The ABC, as well as many users of the HealthEngine app, contended it was not possible to opt out of the marketing activities and still use the service. HealthEngine maintains that it obtains proper consent and that it is possible to opt out. It published an example of the dialog box it presents to users.

HealthEngine says this is the opt-in dialog box that asks users for consent to share their personal information.

The ABC's story generated extensive criticism of HealthEngine from users and medical practitioners. As a result, the OAIC and Digital Health Agency have launched an investigation.

Although HealthEngine has defended its practices since the ABC story was published on Monday, it appears now that the business may change tack.

On Thursday, HealthEngine sent emails to some of its customers saying that it plans to make an announcement within the next week regarding "substantial changes to HealthEngine's business model around advertising and referrals."

Tan also attempted to tamp down the outcry in a short video published on Wednesday.

Dr. Marcus Tan, CEO of HealthEngine, describes his company's approach to sharing users' data.

"I want to reassure our users that no personal information is passed on to third parties without your express consent or within the circumstances of our privacy policy," Tan says in the video.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.