Andrew Chalet and Peytee Grusche

Review tampering and mishandling of patient data lands HealthEngine $2.9 million in penalties

Andrew Chalet and Peytee Grusche

8 October 2020

Competition and Consumer Law Confidentiality and Privacy

The significant financial penalty incurred by HealthEngine in the Federal Court functions as a timely reminder to businesses that breaches of privacy may lead to the Australian Competition and Consumer Commission (ACCC) pursuing enforcement action under the Australian Consumer Law (ACL).

Recent proceedings in the Federal Court brought by the ACCC revealed that HealthEngine, an online health platform which facilitates patient bookings, engaged in misleading and deceptive conduct in relation to inappropriate disclosure of patient personal information and the selective publication and embellishment of patient reviews.

HealthEngine was ordered to pay $2.9 million in penalties for its contraventions of the ACL and also directed to contact affected patients to let them know how they could arrange for their personal information to be deleted by HealthEngine and other third parties it had been wrongly been provided to.  You can read the full judgment here.

Misleading and deceptive conduct

 Justice Yates analysed HealthEngine’s conduct in three separate categories—review conduct, ratings conduct and referral conduct.

In terms of the review and ratings conduct, HealthEngine admitted that, between 2015 and 2018, it excluded around 17,000 reviews from its platforms and, without patient permission, edited approximately 3,000 reviews to be more favourable towards health service providers.  It also failed to disclose to consumers that, if less than 80 percent of patients said they would recommend a health service provider, instead of publishing a rating, HealthEngine would state that the health service provider had no rating at all due to insufficient data.

Other concerning conduct involved HealthEngine providing the personal information of around 135,000 patients (such as names, dates of birth, phone numbers and email addresses) to third parties without obtaining appropriate patient consent for such disclosure.

Over a period of four years, from 2014 to 2018, HealthEngine adopted a system whereby it received commissions for referring patients to private health insurance brokers. In doing so, it provided insurance brokers with patient personal information when patients agreed to receiving a call about health insurance comparison services.  However, HealthEngine ultimately accepted that the language it used in regards to this process did not make clear that a third party (and not HealthEngine itself) would contact patients and that personal information would be sent on to those insurance brokers.

ACCC interest in privacy compliance

The ACCC began investigating HealthEngine’s conduct in July 2018 and decided to commence proceedings in mid-2019.

Following the judgment, the ACCC said that the substantial penalty imposed on HealthEngine should reinforce to businesses that they must be upfront with consumers about how they use and disclose personal information—and that a failure to do so places businesses at significant risk of breaching the ACL.

This case forms part of the ACCC’s renewed focus on privacy and data protection—and highlights the perhaps often overlooked interaction between privacy and the ACL.  The ACCC released its final report of the Digital Platforms Inquiry last year, which included recommendations to solidify consent and notification requirements under the Privacy Act 1988 (Cth).

The ACCC also recently amended the Consumer Data Right Rules to allow accredited intermediaries to collect data on behalf of third party data recipients (with consumer consent), and is currently seeking consultation on other proposed changes including:

  • amendments to the accreditation process for new restricted tiers of accreditation;
  • rules to allow consumers to consent to third party disclosure of Consumer Data Right data; and
  • enhanced functionality to improve consumer experience.

Submissions are due on 29 October 2020 and you can find out more about the consultation process here.

For more information or if you need assistance or advice on updating your privacy policy or how to appropriately manage personal information in your business, please contact a member of Thomson Geer’s National Intellectual Property team for a confidential discussion.


Andrew Chalet | Partner | +61 3 8080 3542 |

Dr Peytee Grusche | Special Counsel | +61 8 9404 9161 |

Stephanie McHugh | Lawyer | +61 3 8080 3554 |