Major privacy breach in the misuse of personal information used by HealthEngine

June 25, 2018 |

There is a regularity with certain types of breaches.  I posted on 11 September 2014 about the privacy problems with mobile apps.  Privacy controls are generally terrible.  The HealthEngine app, marketed as Australia’s biggest online doctors appointment booking service is reported to have used personal information provided by users and forwarding them onto third parties who could contact the users are part of their professional services.  The most notable recipient of this data is Slater and Gordon, a personal injury firm.

How this breach of the Privacy Act 1988 and the misleading and deceptive conduct by Health Engine does not attract a class action then there is something wrong with the system.

The privacy statement and collections policy are dreadful and most likely in breach of the Privacy Act 1988.

The article provides:

Australia’s biggest online doctor’s appointment booking service, HealthEngine, has funnelled hundreds of users’ private medical information to law firms seeking clients for personal injury claims.

Key points:

  • HealthEngine has boasted to advertisers it can tailor advertising to patients’ symptoms
  • The Australian startup says it only shares information with users’ consent
  • But if a patient wants to use the app, there is no opportunity to opt-out of the fine print about giving information to third parties

The Perth-based startup, which is part-owned by Telstra and SevenWest Media and boasts 1.5 million monthly and 15 million annual users, has also been touting access to patients’ medical conditions and symptoms for targeted advertising campaigns.

A spokesperson from the Office of the Australian Information Commissioner, the oversight agency for national privacy laws, said it was making enquiries with HealthEngine after the ABC’s reporting on the company.

The ABC has obtained secret documents from plaintiff law giant Slater and Gordon that reveal HealthEngine was passing on a daily list of prospective clients to the firm, based on their personal medical information, as part of a “referral partnership pilot” last year.

HealthEngine asks users to include details of their symptoms and medical conditions, including whether they have suffered a workplace injury or been in a traffic accident, as part of the process of booking appointments with GPs, dentists, physiotherapists, optometrists and other medical practitioners.

The documents reveal HealthEngine passed on details of an average of 200 clients a month to Slater and Gordon between March and August last year.

A total of 40 became Slater and Gordon clients, yielding a projected $500,000 worth of legal fees.

HealthEngine and Slater and Gordon both declined interview requests and did not respond directly to questions.

In a statement, Slater and Gordon said it was “committed to creating mechanisms for Australians to access justice”.

“We are proactive in ensuring that any marketing we undertake is compliant with applicable laws and confident that it meets the highest ethical standards.”

HealthEngine said in a statement the company used advertising to “deliver relevant and timely information from our many different advertising partners to our users”.

The startup said it did share personal information of users with third parties if they consented.

“HealthEngine does not provide any personal information to third parties without the express consent of the affected user or in those circumstances described in our privacy policy,” the statement said.

HeathEngine also has a data-sharing arrangement with the Federal Government’s My Health Record digital medical record system.

However, the company said it was unable to directly access patient data held by My Health Record or the Australian Digital Health Agency.

How does HealthEngine get consent from users?

The company’s privacy policy makes no mention of sharing the information with third parties for marketing purposes.

However, a separate “collection statement”, which users must accept to use the service and confirm their booking, says HealthEngine shares personal information with a range of third parties.

“If you consent, we may also provide your personal information to providers of other products and services which may be of interest to you, such as private health insurance comparison services, providers of finance credit for cosmetic and dental procedures, and providers of legal services,” the collection statement says.

There is no opportunity to opt out of terms in the collection statement if patients want to use the app.

App users are prompted to specify the type of appointment, where they have the option to select whether they have been in a car accident, or had a workplace or non-workplace injury.

HealthEngine boasts it can tailor advertising to patients’ symptoms

The ABC has also obtained a HealthEngine marketing presentation which promises to let advertisers target users for products based on their “age, appointment type … postcode, symptom and booking type.”

“Advertisers have the ability to leverage and skew communication towards patients’ [symptom]-related issues or deliver brand message prior to seeing the GP,” the presentation says.

It is not the first time HealthEngine’s practices have come into question.

Earlier this month, Fairfax revealed the company was tampering with negative patient reviews of doctors to make them appear positive.

The company has since apologised and removed the reviews from its service.

Slater and Gordon used HealthEngine referrals via third party

HealthEngine was among several companies to have referred customers to Slater and Gordon as part of a pilot project last year.

On Sunday, the ABC revealed Slater and Gordon was using an external direct marketing business to find new clients, despite the firm’s own top lawyers warning the practice was unethical and possibly illegal.

The secret documents say the firm sourced the HeathEngine referrals via Sydney-based law firm Bannister Law, which held a contract for referrals with HealthEngine.

The documents say Slater and Gordon was not paying a fee for the referrals during the pilot stage, however, it expected Bannister Law to charge for the referrals in the future.

Bannister Law declined to comment.

In an updated statement from HealthEngine after publication of this article, the company’s CEO Dr Marcus Tan said “HealthEngine has no referral arrangements in place with marketing agencies or law firms.”

However, Dr Tan conceded the company had provided information to lawyers.

“Under previous arrangements, HealthEngine provided referrals to law firms but only with the express consent of the user,” he said.

The Electronic Frontiers Australia, the Australian Privacy Foundation and Future Wise have put out a press release damning the practice stating:

Australia, Melbourne — Monday 25 June 2018 — EFA, Future Wise and APF today denounced the actions of HealthEngine and its doctor appointment booking system which has been sharing patient data with law firms, marketers, and other entities with the flimsiest pretense of patient consent.

“If this ethically dubious behaviour is technically legal, then Australia’s privacy legislation must be changed,” said Justin Warren, Electronic Frontiers Australia board member.

“People have made it clear time and time again that information about their health is extremely personal and private and they expect it to be kept secure, not shared with all and sundry,” he said. “I cannot understand how any doctor would allow their patients’ trust to be abused in this way.”

Dr Trent Yarwood, health spokesperson for Future Wise and a medical specialist, said “Making access to healthcare easier for people is critical. However, practice managers and healthcare professionals must understand the privacy implications of how they do this.”

“Too many services are set up with the primary aim of selling personal data to advertisers, and providing ‘convenient’ services to people purely as a hook to get this data,” he concluded.

The original ABC report noted that “HealthEngine also has a data-sharing arrangement with the Federal Government’s My Health Record (MyHR) digital medical record system.” The precise nature of this data-sharing arrangement must be made public immediately. The government is making MyHR mandatory, save for a short once-only opt-out period, and the public must know what our health data is going to be used for if we are to have confidence in this system.

Kat Lane, vice chair of Australian Privacy Foundation, said “Data in the government’s MyHR can be downloaded to a GP system and is then freely available—no controls, no audit trail—including potentially to apps such as HealthEngine, without proper informed consent. This is a warning about serious issues of transparency and consent with such apps and MyHR.”

The law must be changed to provide robust privacy protections for all Australians, such as by finally giving us the right to sue for breach of privacy, requiring explicit consent for each disclosure of medical or health data to a third party, and proper auditing of record-access that is visible to the patient. The current system is too easy to bypass for unscrupulous operators looking to make a fast buck.




Leave a Reply