HealthEngine reveals data breach

HealthEngine has revealed a data breach in which 59,600 pieces of patient feedback “may have been improperly accessed”.

The company, which acts as an online booking engine for medical practices, said it had notified those affected as well as the Office of the Australian Information Commissioner.

It blamed the breach on “an error in the way” its website operated, saying that information “ordinarily not visible to users on the site” was accidentally exposed in the webpage’s code.

Of the 59,600 pieces of feedback, 75 contained identifying information about a site user.

However, the company said no usernames or passwords were impacted and “no action is required to be taken by users of the site”.

“HealthEngine has worked around the clock to investigate how the information was improperly obtained, what patients might have been affected, and the steps required to further address the matter,” CEO Dr Marcus Tan said in a statement.

“We have removed all published patient feedback from our site while we review the HealthEngine Practice Recognition System, to ensure that hidden feedback information can no longer be accessed in this way.

“We take data security very seriously, and acted swiftly and decisively when we became aware of the breach, to identify the error and shut down the published patient feedback function.”

The Practice Recognition System includes a post-appointment survey designed to collect feedback about how a practice performs.

The data breach comes in the same week as HealthEngine was embroiled in a scandal over its sharing of private medical information provided during online bookings to the likes of insurance companies and lawyers.