ACCC takes HealthEngine to court over alleged data misuse

The Australian Competition and Consumer Commission has kicked off proceedings in the federal court against HealthEngine, alleging the online booking and review platform of misleading and deceptive conduct.

HealthEngine, which the ACCC called Australia’s largest online marketplace in the court filing, last year revealed a data breach in which 59,600 pieces of patient feedback “may have been improperly accessed”.

However, the ACCC now alleges that between April 2014 and June 2018 HealthEngine gave information including names, phone numbers, email addresses, and dates of birth of over 135,000 patients to private health insurance brokers for a fee, “without adequately disclosing to customers it would do so”.

“We also allege that patients were misled into thinking their information would stay with HealthEngine but, instead, their information was sold off to insurance brokers,” ACCC chair Rod Sims said.

“Issues of transparency and adequate disclosure when digital platforms collect and use consumer data is one of the top priorities at the ACCC.

“Businesses who are not upfront with how they will use consumer data may risk breaching the Australian Consumer Law and face action from the ACCC.”

Additionally, the consumer watchdog is following up claims from Fairfax that between 31 March 2015 and 1 March 2018, the company manipulated patient reviews published on the platform and misrepresented to consumers why HealthEngine didn’t publish a rating for some health practices.

“We allege that HealthEngine refused to publish negative reviews and altered feedback to remove negative aspects, or to embellish it, before publishing the reviews,” Sims said.

The ACCC will argue that HealthEngine “disregarded” around 17,000 reviews, and altered 3000 during that time.

“The ACCC considers that the alleged conduct by HealthEngine is particularly egregious because patients would have visited doctors at their time of need based on manipulated reviews that did not accurately reflect the experience of other patients,” Sims said.

It appears the watchdog is also using the court case to drive home the recommendations in its recent Digital Platform Inquiry, which pushed for stronger consent and notification requirements under the Privacy Act.

“Issues of transparency and adequate disclosure when digital platforms collect and use consumer data is one of the top priorities at the ACCC. Businesses who are not upfront with how they will use consumer data may risk breaching the Australian Consumer Law and face action from the ACCC.”

The commission is seeking penalties, declarations, corrective notices and an order for HealthEngine to review its compliance program.

It’s also applying for a court order that would require the company to contact affected users and provide details of how they can regain control of their personal information.

Update

Chief executive of HealthEngine, Marcus Tan, said in a statement said the company "either discontinued or significantly overhauled the services in question over a year ago," before being advised of the ACCC's investigation.

"HealthEngine recognises that our rapid growth over the years has sometimes outpaced our systems and processes and we sincerely apologise if that has meant we have not always met the high expectations of us."

He added that the company is confident there were no "adverse health outcomes" as a result and that "personal information was not shared with referral partners unless the individual had expressly requested to be contacted".