A significant data breach of medical histories at Neoclinical, an example of how not to respond to a data breach meanwhile the ACCC commences action against HealthEngine for selling its customers data. Big problems with data security in the health sector, no news there…

August 8, 2019 |

Paradoxically the one type of data that is regarded as most sensitive, health information, is often the most poorly protected.  The privacy protection culture is poor and insufficient resources are put into protecting personal information and staff training is often times rudimentary.  There is a constant stream of breaches reported including in the last fortnight thousands of pharmaceutical records leaked in the US, a data breach in Presbyterian Healthcare Services in Alberquerque resulted in unauthorised access to 183,000 patients, the all too regular instance of medical records in paper form being left on the street, this time in London Canada and a health Centre in Kentucky paying $70,000 ransom to unlock medical records of 20,000 patients. There are clear challenges in securing personal information in health centres and hospitals with many individuals having access to data at many terminals however the challenges are surmountable.  Most data breaches are a result of poor practices and insufficient time, money and effort going into setting up proper hardware and software, establishing proper processes and training and then more training.

The Nine/Fairfax press reports on a major data breach at Neoclinical, a company which matches individuals with active clinical trials.  The data is sensitive by definition but it is even more concerning given the data that Neoclinical heald was users responses to questions qualifying them for clinical trials.  Those sort of questions go to medical diagnoses illicit drug use and treatments received.  The breach involved its 37,170 users.  The breach was detected by UpGuard which sent an email to Neoclinical.  Neoclinical did not notify the Information Commissioner about the breach when notified or even shortly after.  It did nothing until the media asked questions about it.  Then, and only then, did it notify the Commissioner, yesterday.  If the Commissioner lets such an obvious breach of the mandatory data breach notification laws then it is an even weaker regulator than it is perceived to be at the moment. Neoclinical also adopted a truculent approach to its inadequate data security being exposed.

The Fairfax article provides:

Tens of thousands of Australians have had their medical histories and other private information exposed in a large data breach of a company that enabled them to participate in paid clinical trials.

The database belonging to Neoclinical exposed approximately 37,000 people’s contact information and their responses to personal medical questions qualifying them for clinical trials, which included information about diagnoses, illicit drug use and treatments.

A screenshot of some of the information in the database.
A screenshot of some of the information in the database.Credit:UpGuard

According to US cyber security company UpGuard, which uncovered Neoclinical’s unsecured database on the internet, there were 12,388 individuals from NSW and 4916 from Victoria in the exposed database. The rest were from New Zealand or other Australian states and territories.

In a statement to The Sydney Morning Herald and The Age on Wednesday afternoon, Neoclinical admitted to the breach but said the disclosure of it “was an exercise by a cyber security company demonstrating their expertise for marketing purposes”.

“During a routine IT operation, our server was temporarily opened last month,” a Neoclinical spokesperson said.

The company has temporarily shut down its website and has informed the Privacy Commissioner.

Neoclinical’s chief executive is Geoff Denman. According to the Australian Financial Review, Mr Denman was one of the ad executives behind the “Kevin07” campaign that put Labor’s Kevin Rudd in The Lodge. He was also behind the mining industry’s assaults on Labor’s mining super-profits tax and carbon tax.

Questions answered by participants included: Do you suffer from an immune system disease?; Do you use illegal substances?; How often do you use drugs?; Do you have an implanted cardiac device?; Where is your skin condition located?; and are you looking to regain bladder control?

“A US cyber security company which trawls the internet looking for data access found a way to get around the password protection and access our server,” the Neoclinical spokesperson said. “The cyber security company advised Amazon Web Services, who are our hosting provider, who in turn advised us.

“On receiving this advice we immediately shut down all access to the server. Once the breach from the cyber security company was confirmed, we immediately contacted the Privacy Commissioner’s office about the event and we are informing everyone whose details may have been affected.”

A screenshot of some of the information in the database.
A screenshot of some of the information in the database.Credit:UpGuard

The Neoclinical spokesperson said they did not believe the information exposed would “be used in a malicious way” by UpGuard. “We are seeking reassurances to this effect from the company which breached our server and are contacting them today,” they said.

“We take confidentiality and this breach seriously, to the extent that our site will continue to remain in lockdown and operations suspended until such time that we can be certain that a breach of this kind cannot occur again.”

UpGuard said it uncovered the database on July 1, when one of its computer security researchers detected a database named “neoclinical” on the internet.

“That day the researcher sent an email notification to Neoclinical,” UpGuard said. “The researcher called both phone numbers on Neoclinical’s website, one of which was disconnected and the other [which] was configured to record a 10-second message to be transcribed and sent as text.

“On July 25 the researcher escalated notification to Amazon Web Services security, which followed their standard procedure of saying they would notify the owner of the database.

“On July 26, public access to the database was removed.”

UpGuard said this case was a reminder to participants of clinical trials that “whenever they pass information to a third party, they should consider the impact of that data being exposed”.

“And for companies, it should highlight the importance of having an incident response capability so that when data leaks occur, they can be mitigated within hours rather than weeks,” UpGuard said.

The Privacy Commissioner was informed on Wednesday, after the Herald and The Age contacted Neoclinical.

Meanwhile the Australian Competition and Consumer Commission  commenced action yesterday in the New South Wales Registry of the Federal Court against the online health booking platform HealthEngine Pty Ltd for misleading and deceptive conduct.  The conduct complained of included only publishing positive patient reviews.  From a privacy perspective the conduct complained of giving patient’s names, phone numbers, email addresses and dates of birth to private health insurance brokers for a fee without disclosing to consumers that it would and did so.  In that regard the ACCC is following the approach taken by the FTC in prosecuting privacy breaches by alleging misleading and deceptive conduct. It is a very smart move by the ACCC. The FTC has had great success in simply proving the representations about privacy protections as being false when there are major data breaches.

The ACCC approach puts to shame the Australian Information Commissioner weak and opaque approach to regulation.  The ACCC has linked its Conscise Statement that was filed in the Federal Court.  It is a clear signal to the market that it is very serious about prosecuting breaches.  The Information Commission is, by contrast, afraid of the light and everything that is done is done behind closed doors and only published, if at all, many months after the fact.  It does not advertise any enforcement action it takes. That is partly because it does so little.

The first Case Management Hearing will be held in the Federal Court in Sydney on 9 September 2019 before Justice Yates in Court Room 18B.

The ACCC media release provides:

The ACCC has instituted proceedings in the Federal Court against online health booking platform HealthEngine Pty Ltd (HealthEngine) for misleading and deceptive conduct relating to the sharing of consumer information with insurance brokers and the publishing of patient reviews and ratings.

The ACCC claims that between 31 March 2015 to 1 March 2018, HealthEngine manipulated the patient reviews it published, and misrepresented to consumers why HealthEngine did not publish a rating for some health practices.

“We allege that HealthEngine refused to publish negative reviews and altered feedback to remove negative aspects, or to embellish it, before publishing the reviews,” ACCC Chair Rod Sims said.

“We will argue that HealthEngine disregarded around 17,000 reviews, and altered around 3,000 in the relevant time period.”

“The ACCC considers that the alleged conduct by HealthEngine is particularly egregious because patients would have visited doctors at their time of need based on manipulated reviews that did not accurately reflect the experience of other patients,” Mr Sims said.

The ACCC also alleges that from 30 April 2014 to 30 June 2018, HealthEngine gave information such as names, phone numbers, email addresses, and date of birth of over 135,000 patients to private health insurance brokers for a fee without adequately disclosing to consumers it would do so.

“We also allege that patients were misled into thinking their information would stay with HealthEngine but, instead, their information was sold off to insurance brokers,” Mr Sims said.

The ACCC’s recent Digital Platforms Inquiry Final Report includes recommendations to strengthen consent and notification requirements under the Privacy Act. 

“Issues of transparency and adequate disclosure when digital platforms collect and use consumer data is one of the top priorities at the ACCC,” Mr Sims said.

“Businesses who are not upfront with how they will use consumer data may risk breaching the Australian Consumer Law and face action from the ACCC.”

“One of our recommendations from the Digital Platforms Inquiry is that obtaining consent for different purposes of data collection, use or disclosure must not be bundled,” Mr Sims said.

The ACCC is seeking penalties, declarations, corrective notices and an order for HealthEngine to review its compliance program.

The ACCC is also applying for an order from the Court that would require HealthEngine to contact affected consumers and provide details of how they can regain control of their personal information.


HealthEngine describes itself as Australia’s largest online health marketplace, which is used by over a million consumers every month.

HealthEngine provides a booking system for patients and an online health care directory that lists over 70,000 health practices and practitioners in Australia. The directory allows patients to search for and book appointments with health practitioners. Up until June 2018, consumers could also access reviews from patients about the quality and services of health practitioners.

Two of HealthEngine’s major investors are subsidiaries of Telstra and Seven West Media.

A sample of reviews allegedly manipulated by Health Engine can be found in the ACCC’s concise statement below.

Itnews reports on this opening salvo with ACCC takes HealthEngine to court over alleged data misuse and the ABC with HealthEngine, medical booking app, facing multi-million-dollar fines for selling patient data.  It is a case worth watching as it may point the way to enforcing privacy protections.  If the Information Commissioner won’t or can’t take enforcement action then the ACCC should.

Leave a Reply