HealthEngine has been hit with a $2.9 million fine for misusing customer data on more than 135,000 of its users by the Australian Competition and Consumer Commission and manipulating customer reviews.
HealthEngine is a website that facilitates online bookings between consumers and medical practitioners, and boasts more than 1.5 million monthly users.
The ACCC says that HealthEngine handed over email addresses, phone numbers and other personal information of 135,000 patients to third-party health insurance brokers without the explicit consent of its users.
“We got something wrong,” HealthEngine CEO, Dr Marcus Tan
The Federal Court has handed down a $2.9 million fine to HealthEngine for facilitating misleading conduct on the platform, with the court also ordering the company to “contact affected consumers and provide details of how they can regain control of their personal information.”
According to a statement from the ACCC, “HealthEngine admitted that between 30 April 2014 and 30 June 2018 it gave non-clinical personal information of over 135,000 patients to third party private health insurance brokers without adequately disclosing this to consumers.”
“HealthEngine earned more than $1.8 million from its arrangements with private health insurance brokers during this period,” according to the ACCC.
HealthEngine’s co-founder, Medical Director and CEO, Dr Marcus Tan has said that the platform “got something wrong.”
“Good intentions do not excuse poor execution and this process has given us a grater understanding of our operational shortcomings, which we’ve addressed,” Dr Tan wrote.
“The arrangements HealthEngine had with private health insurance comparison services were not sufficiently clear on the booking form itself,” Dr Tan added. “As a result, some consumers may not have made a fully informed choice regarding the transfer of their non-clinical, personal information to a private health insurance comparison service for the purpose of getting a comparison.”
“That was our error,” Dr Tan concluded.
Chairman of the ACCC, Rod Sims has said that “these penalties and other orders should serve as an important reminder to all businesses that if they are not upfront with how they will use consumers’ data, they risk breaching the Australian Consumer Law.”
“The ACCC is very concerned about the potential for consumer harm from the use of misuse of consumer data.”
For more information on ISO 27001 – Information Security Management Systems – or for your free ISO 27001 Gap Analysis Checklist, click here.
According to the ACCC, HealthEngine has also admitted the company refused to publish around 17,000 reviews, and edited a further 3,000 customer reviews to “remove negative aspects, or to embellish them,” says the ACCC.
“The ACCC was particularly concerned about HealthEngine’s misleading conduct in connection with reviews it published, because patients may have visited medical practices based on manipulated reviews that did not accurately reflect other patients’ experiences,” Mr Sims added.
HealthEngine has admitted fault in joint submissions to both the ACCC and the Australian Federal Court.
The ACCC began investigating HealthEngine in July of 2018 where it launched legal action against the platform for “misleading and deceptive conduct relating to the sharing of consumer information with insurance brokers and the publishing of patient reviews and ratings.”
According to a report from IT News, “the court proceedings – which followed a data breach, in which the company said 59,600 pieces of patient feedback “may have been improperly accessed” – were also used to follow up on claims the company manipulated patient reviews published on the platform.”