[BreachExchange] HealthEngine cops $2.9m penalty over data misuse
Destry Winant
destry at riskbasedsecurity.com
Fri Aug 21 10:12:56 EDT 2020
https://www.itnews.com.au/news/healthengine-cops-29m-penalty-over-data-misuse-552059
Admits to sharing patient information without their knowledge.
HealthEngine has been slapped with $2.9 million in penalties for
sharing the non-clinical personal information of over 135,000 patients
with third-party private health insurance brokers without their
knowledge.
The company, which acts as an online booking engine and review
platform for medical practices, has also admitted to holding back or
manipulating patient reviews and ratings to inflate its positive
image.
The Australian Competition and Consumer Commission took HealthEngine
to the Federal Court late last year, alleging that it had engaged in
misleading and deceptive conduct when it provided the non-clinical
personal information to private health insurance brokers for a fee.
It said the information included the names, phone numbers, email
addresses, and dates of birth of over 135,000 patients, which had been
shared “without adequately disclosing to customers it would do so”
between 30 April 2014 and 30 June 2018.
The court proceedings - which followed a data breach, in which the
company said 59,600 pieces of patient feedback “may have been
improperly accessed” - were also used to follow up on claims the
company manipulated patient reviews published on the platform.
But the ACCC on Thursday said HealthEngine had now admitted to
providing the non-clinical personal information” of patients to
third-party private health insurance brokers over the four-year
period, which had earned the company more than $1.8 million.
The company also admitted to “not publish[ing] around 17,000 reviews
and edit[ing] around 3000 reviews to remove negative aspects, or to
embellish them” between 31 March 2015 and 1 March 2018.
It similarly admitted that it “misrepresented to consumers the reasons
why it did not publish a rating for some health or medical practices”.
After considering joint submissions and proposed orders from
HealthEngine and the ACCC, the Federal Court ordered the company pay
$2.9 million in penalties for engaging in misleading conduct.
It has also been ordered to “contact affected consumers and provide
details of how they can regain control of their personal information”,
as well as commission an annual review of its Australian Consumer Law
compliance program for the next three years.
HealthEngine will also contribute to the ACCC’s legal costs.
ACCC chair Rod Sims said the “penalties and other orders should serve
as an important reminder to all businesses that if they are not
upfront with how they will use consumers’ data, they risk breaching
the Australian Consumer Law.”
He said the ACCC was concerned with both the “potential for consumer
harm from the use or misuse of consumer data”, as well as
“HealthEngine’s misleading conduct in connection with reviews it
published”.
In a statement, HealthEngine said it welcomed the conclusion of legal
proceedings, adding that the “services in question were either
discontinued or significantly overhauled two years ago”, prior to the
ACCC investigation.
“Personal, not clinical, information was provided to private health
insurance comparison services when consumers specifically requested a
call regarding a health insurance comparison,” it said.
“We did not make it sufficiently clear on the booking form that a
third party, not HealthEngine, would be contacting them regarding the
comparison and that we would be passing on consumer details for that
to occur.
“This was an error and HealthEngine apologises for it.”
HealthEngine co-founder and CEO Marcus Ta also used the statement to
“correct a misconception” that he said emerged when the ACCC initially
announced its proceedings last year.
“HealthEngine never has - and never will - sell user databases to
third parties,” he said.
“Further, the only time we provide clinical information to third
parties is to a consumer’s nominated healthcare provider to deliver
the healthcare services requested by that consumer.
“We made mistakes at the time with respect to two services we offered
- the Practice Recognition System and private health insurance
comparison services - and we apologise for those mistakes.”
More information about the BreachExchange
mailing list