The ACCC has started court proceedings in the Federal Court against HealthEngine for allegedly misleading and deceptive conduct related to the sharing of consumer information with insurance brokers and the publishing of patient reviews and ratings.
The ACCC claims that between 31 March 2015 and 1 March 2018, the online health service booking platform manipulated the patient reviews it published and misrepresented to consumers why HealthEngine did not publish a rating for some health practices.
“We allege that HealthEngine refused to publish negative reviews and altered feedback to remove negative aspects, or to embellish it, before publishing the reviews,” said ACCC chair Rod Sims.
“We will argue that HealthEngine disregarded around 17,000 reviews and altered around 3,000 in the relevant time period. The ACCC considers that the alleged conduct by HealthEngine is particularly egregious because patients would have visited doctors at their time of need based on manipulated reviews that did not accurately reflect the experience of their patients,” Sims said.
The ACCC also alleges that from 30 April 2014 to 30 June 2018, HealthEngine gave information such as names, phone numbers, email addresses and date of birth of over 135,000 patients to private health insurance brokers for a few without adequately disclosing to consumers it would do so.
“We also allege that patients were misled into thinking their information would stay with HealthEngine but instead, their information was sold off to insurance brokers.”
Last July, HealthEngine notified a small group of users of a data breach where information was accessed through its practice recognition system via the company’s website.
The breach was made possible due to an error in the way the provider’s website operates, which allowed hidden patient feedback information within the code of the webpage to be improperly accessed by third parties.
HealthEngine revealed that of the more than 59,600 patient feedback entries that may have been improperly accessed, close to 75 contained identifying information. The company said it reported the breach to the Office of the Australian Information Commissioner and the 75 customers who may have had their data accessed.
Meanwhile, the ACCC’s Digital Platforms Inquiry Final Report – published last month, recommends the government strengthen consent and notification requirements under the Privacy Act.
“Issues of transparency and adequate disclosure when digital platforms collect and use consumer data is one of the top priorities at the ACCC,” Sims said.
“Businesses who are not upfront with how they will use consumer data may risk breaching the Australian Consumer Law and face action from the ACCC.
“One of our recommendations from the Digital Platforms Inquiry is that obtaining consent for different purposes of data collection, use or disclosure must not be bundled,” he said.
The ACCC is seeking penalties, declarations, corrective notices and an order for HealthEngine to review its compliance program. The corporate watchdog is also applying for an order from the court that would require HealthEngine to contact affected consumers and provide details of how they can regain control of their personal information.
Follow Byron Connolly on Twitter: @ByronConnolly
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.