HealthEngine has been slapped with $2.9 million in penalties for sharing the non-clinical personal information of over 135,000 patients with third-party private health insurance brokers without their knowledge.
The company, which acts as an online booking engine and review platform for medical practices, has also admitted to holding back or manipulating patient reviews and ratings to inflate its positive image.
The Australian Competition and Consumer Commission took HealthEngine to the Federal Court late last year, alleging that it had engaged in misleading and deceptive conduct when it provided the non-clinical personal information to private health insurance brokers for a fee.
It said the information included the names, phone numbers, email addresses, and dates of birth of over 135,000 patients, which had been shared “without adequately disclosing to customers it would do so” between 30 April 2014 and 30 June 2018.
The court proceedings – which followed a data breach, in which the company said 59,600 pieces of patient feedback “may have been improperly accessed” – were also used to follow up on claims the company manipulated patient reviews published on the platform.
But the ACCC on Thursday said HealthEngine had now admitted to providing the non-clinical personal information” of patients to third-party private health insurance brokers over the four-year period, which had earned the company more than $1.8 million.
The company also admitted to “not publish[ing] around 17,000 reviews and edit[ing] around 3000 reviews to remove negative aspects, or to embellish them” between 31 March 2015 and 1 March 2018.
It similarly admitted that it “misrepresented to consumers the reasons why it did not publish a rating for some health or medical practices”.
After considering joint submissions and proposed orders from HealthEngine and the ACCC, the Federal Court ordered the company pay $2.9 million in penalties for engaging in misleading conduct.
It has also been ordered to “contact affected consumers and provide details of how they can regain control of their personal information”, as well as commission an annual review of its Australian Consumer Law compliance program for the next three years.
HealthEngine will also contribute to the ACCC’s legal costs.
ACCC chair Rod Sims said the “penalties and other orders should serve as an important reminder to all businesses that if they are not upfront with how they will use consumers’ data, they risk breaching the Australian Consumer Law.”
He said the ACCC was concerned with both the “potential for consumer harm from the use or misuse of consumer data”, as well as “HealthEngine’s misleading conduct in connection with reviews it published”.
In a statement, HealthEngine said it welcomed the conclusion of legal proceedings, adding that the “services in question were either discontinued or significantly overhauled two years ago”, prior to the ACCC investigation.
“Personal, not clinical, information was provided to private health insurance comparison services when consumers specifically requested a call regarding a health insurance comparison,” it said.
“We did not make it sufficiently clear on the booking form that a third party, not HealthEngine, would be contacting them regarding the comparison and that we would be passing on consumer details for that to occur.
“This was an error and HealthEngine apologises for it.”
HealthEngine co-founder and CEO Marcus Ta also used the statement to “correct a misconception” that he said emerged when the ACCC initially announced its proceedings last year.
“HealthEngine never has – and never will – sell user databases to third parties,” he said.
“Further, the only time we provide clinical information to third parties is to a consumer’s nominated healthcare provider to deliver the healthcare services requested by that consumer.
“We made mistakes at the time with respect to two services we offered – the Practice Recognition System and private health insurance comparison services – and we apologise for those mistakes.”