HealthEngine ordered to pay $2.9m for ‘misleading conduct’

The settlement saw HealthEngine admit to providing non-clinical personal information – such as names, dates of birth, phone numbers and email addresses – to nine different third-party private health insurance brokers without properly informing consumers.

This arrangement earned the online medical booking platform more than $1.8 million over a period of four years and two months.
 
HealthEngine also admitted to engaging in conduct that was misleading or deceptive, or likely to mislead or deceive, by not choosing to not publish close to 17,000 negative patient reviews of medical practices, and by editing a further 3253 reviews to embellish them or remove negative aspects.
 
Aside from the financial penalty, HealthEngine was also ordered to contact affected consumers and provide details for how they can regain control of their personal information, and engage in an independent annual review of its existing compliance program for the next three years, as well as implement any changes identified by the independent reviewer.
 
It will also pay a $50,000 contribution to the Australian Competition and Consumer Commission’s (ACCC) legal costs.
 
ACCC Chair Rod Sims said the organisation is ‘very concerned’ about the potential for consumer harm from the use or misuse of consumer data.
 
‘The ACCC was particularly concerned about HealthEngine’s misleading conduct in connection with reviews it published, because patients may have visited medical practices based on manipulated reviews that did not accurately reflect other patients’ experiences,’ Mr Sims said.
 
‘These penalties and other orders should serve as an important reminder to all businesses that if they are not upfront with how they will use consumers’ data, they risk breaching the Australian Consumer Law [ACL].’
 
In summarising his reasons for accepting the settlement proposed in a joint submission to the Federal Court made by HealthEngine and the ACCC, Justice David Yates said he was satisfied concerns he had previously raised regarding the ‘sufficiency and completeness’ of information presented to the court by both parties had been resolved.
 
‘HealthEngine did not consider every patient review it received or automatically publish these reviews. Further, HealthEngine edited the feedback and comments it received … in a way that made them appear more positive than they really were,’ he said.
 
‘Contraventions of this kind are serious because of their immediate potential to mislead consumers of medical services about non-medical or non-clinical aspects of health practices.’
 
The joint submission acknowledges that HealthEngine’s senior management were aware of, and responsible for, the practice of only publishing positive reviews but were not aware of, nor directly involved in, the practice of editing reviews to remove negative content until early in 2017.
 
It notes that the practice of editing reviews reduced significantly after February 2017 and states that ‘HealthEngine’s senior management did not intend to breach the ACL’, and that cooperation in relation to the proceedings had been ‘substantial’.
 
‘It has made full admissions, agreed to the making of all appropriate orders including the proposed penalty, and joined in the making of submissions which frankly reflect the seriousness of its wrongdoing,’ the joint statement notes.
 
‘The proposed penalty factors in a discount for this cooperation.’
 
Following the verdict, HealthEngine released a statement that acknowledged the ‘error’ of passing patient details on to third-party private health insurance providers and pointed out that the services had been ‘discontinued or significantly overhauled’ prior to the company being formally advised of any ACCC investigation.

HealthEngine co-founder and CEO Marcus Tan.
 
Dr Sara Bird, Manager of Medico-Legal and Advisory Services at MDA National, told newsGP the case is a ‘useful reminder’ for GPs and practices to be vigilant in ensuring patient details are not used or shared inappropriately.
 
‘Health information is sensitive in nature and needs to be treated carefully. If patient details are accidentally disclosed, the patient needs to be informed,’ she said.
 
‘Health information is also potentially valuable, as highlighted by this case, and any misuse of this information is taken very seriously by various bodies, including the ACCC and the Office of the Australian Information Commissioner.’
 
Responding to the Federal Court’s decision, HealthEngine co-founder and CEO Marcus Tan said ‘good intentions do not excuse poor execution’ and that the process had provided a greater understanding of ‘operational shortcomings’.
 
‘When the ACCC commenced proceedings against HealthEngine nearly a year ago, we acknowledged that our rapid early growth had sometimes outpaced our systems and processes and we sincerely apologised that we had not always met the high expectations of the community and our customers. That apology still stands,’ he said.
 
‘It is important to correct a misconception that emerged when the ACCC proceedings were announced. HealthEngine never has – and never will – sell user databases to third parties. Further, the only time we provide clinical information to third parties is to a consumer’s nominated healthcare provider to deliver the healthcare services requested by that consumer. 
 
‘We made mistakes at the time with respect to two services we offered – the Practice Recognition System and private health insurance comparison services – and we apologise for those mistakes.’
 
Log in below to join the conversation.

ACCC Australian Consumer and Competition Commission HealthEngine patient data privacy