HealthEngine, an online booking engine and review platform for medical practises has been hit with a $2.9m fine for engaging in misleading conduct in relation to sharing the non-clinical personal information of 135,000 patients with private health insurance brokers and publishing misleading patient reviews and ratings.

The organisation suffered a data breach where 59,600 pieces of patient feedback effecting, according to HealthEngine, about 75 patients, could have been improperly accessed. In addition to the privacy issues arising from the data breach, the matter came to the attention of the ACCC, and following court proceedings, HealthEngine admitted that it had:

  • given non-clinical personal information to private health insurance brokers over a period of four years and had received over $1.8M in fees from arrangements with private health insurers during that time;
  • admitted that it did not make it adequately clear on the online booking form that a person's Personal Information would be sent to a third party;
  • not published around 17,000 reviews of medical practises, and edited around 3000 reviews, in order to remove negative comments or embellished positive aspects of the reviews. 53% of reviews have been changed by the website in some way, and that it had;
  • misrepresented to customers the reasons why it didn't did not publish ratings for some health or medical practises.

In addition to the $2.9M fine, HealthEngine had to contribute to the ACCC's costs.

Privacy and consumer laws are a fundamental part of doing business and the business community is generally aware that it is improper to wrongfully disclose information, or to be involved in misleading conduct. HealthEngine admit, however, that mistakes were made in relation to two services that they offered which resulted in the improper conduct. To quote from their website "Good intentions do not excuse poor execution"

The statement issued by the CEO of the organisation to "correct a misconception" stated that "HealthEngine never has and never will sell user data bases to third parties", and that the "only time [they] provide clinical information to third parties is to a consumers nominated health care provider to deliver the health care service requested by the consumer".

If any information collected by you is to be disclosed to third parties it must be done in strict accordance with privacy laws in Australia, and you must ensure that information published is not misleading in any way.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.