HealthEngine in court for allegedly misusing patient data and manipulating reviews

It’s not that often that I feel a business should be barred from the market permanently - this one comes close … breathtaking unethical behaviour …

8 August 2019

The ACCC has instituted proceedings in the Federal Court against online health booking platform HealthEngine Pty Ltd (HealthEngine) for misleading and deceptive conduct relating to the sharing of consumer information with insurance brokers and the publishing of patient reviews and ratings.

The ACCC claims that between 31 March 2015 to 1 March 2018, HealthEngine manipulated the patient reviews it published, and misrepresented to consumers why HealthEngine did not publish a rating for some health practices.

“We allege that HealthEngine refused to publish negative reviews and altered feedback to remove negative aspects, or to embellish it, before publishing the reviews,” ACCC Chair Rod Sims said.

“We will argue that HealthEngine disregarded around 17,000 reviews, and altered around 3,000 in the relevant time period.”

“The ACCC considers that the alleged conduct by HealthEngine is particularly egregious because patients would have visited doctors at their time of need based on manipulated reviews that did not accurately reflect the experience of other patients,” Mr Sims said.

The ACCC also alleges that from 30 April 2014 to 30 June 2018, HealthEngine gave information such as names, phone numbers, email addresses, and date of birth of over 135,000 patients to private health insurance brokers for a fee without adequately disclosing to consumers it would do so.

“We also allege that patients were misled into thinking their information would stay with HealthEngine but, instead, their information was sold off to insurance brokers,” Mr Sims said.

The ACCC’s recent Digital Platforms Inquiry Final Report includes recommendations to strengthen consent and notification requirements under the Privacy Act.

“Issues of transparency and adequate disclosure when digital platforms collect and use consumer data is one of the top priorities at the ACCC,” Mr Sims said.

“Businesses who are not upfront with how they will use consumer data may risk breaching the Australian Consumer Law and face action from the ACCC.”

“One of our recommendations from the Digital Platforms Inquiry is that obtaining consent for different purposes of data collection, use or disclosure must not be bundled,” Mr Sims said.

The ACCC is seeking penalties, declarations, corrective notices and an order for HealthEngine to review its compliance program.

The ACCC is also applying for an order from the Court that would require HealthEngine to contact affected consumers and provide details of how they can regain control of their personal information.


HealthEngine describes itself as Australia’s largest online health marketplace, which is used by over a million consumers every month.

HealthEngine provides a booking system for patients and an online health care directory that lists over 70,000 health practices and practitioners in Australia. The directory allows patients to search for and book appointments with health practitioners. Up until June 2018, consumers could also access reviews from patients about the quality and services of health practitioners.

Two of HealthEngine’s major investors are subsidiaries of Telstra and Seven West Media.

A sample of reviews allegedly manipulated by Health Engine can be found in the ACCC’s concise statement below.

The attached document below contains the ACCC’s initiating court documents in relation to this matter. We will not be uploading further documents in the event these initial documents are subsequently amended.

Concise Statement

ACCC v HealthEngine Pty Ltd _Concise Statement ( PDF 1.67 MB )

Release number: 142/19


Notification of data use is one thing - at least a customer might be informed. Consent is only useful if one can use a (so-called) service effectively or at all if one does not consent.

I’ll bet the name and type of services provided as part of bookings made were also divulged to brokers.

I’m wondering if anyone else saw something rather odd about this statement …

Cue the theme to Mission Impossible?


Yeah the horse has already bolted far far away and they want to try and still keep it in the corral. They haven’t realised it is already gone and can only be retrieved with some permanent damage. A bit like saying this is a brand new unused car so please excuse the damage from us driving it already.


Odd, Yes!
But only up until I read,

The company is also facing an investigation by the Office of the Australian Information Commissioner and the Australian Digital Health Agency.

‘Alarming’ might be a better description.

I gather at least one practice I go to uses a third party system to manage bookings. They have a preference for customers to book on line using …!
I ring up to book personally. I’d now wonder whether I agreed to it or not I’m in there now too. Something sends out an SMS reminder the day before, even if it is a Sunday when the business is closed. :thinking:

I wonder what the deal (contract) between the service provider HealthEngine and a Medical Practice says? About everything including any discounts for customer volume, or added free services in return for …?


I think things may have gone beyond notification and/or consent being relevant.

How about an overriding, explicit, legally-enforceable principle that disclosure of any personal information must have a compelling justification having regard solely to the interests of the person whose information it is?

“Notification” is obviously pointless. It will be in the 40 pages of 6pt legalese that you have to click a link for and read - that few if any ever do.

“Consent” has its limits due to the previous point, and due to questions around whether that consent is informed, both about present uses of the data and future uses of the data, and about abuses of the data, and about inadvertant disclosure of the data, and about hacking of the data etc.


What do we really know about the product promoted by HealthEngine to medical practices?

The last two points are worth a moments thought. Free?

And elsewhere only $26pm per practice for the Premium Plan. That includes the added feature that sends out SMS appointment reminders.

Added content
One answer. But how does Patient Match deliver, and to whom?


This year I’ve got on HotDoc to book my appointments, I attend a very busy clinic in St Kilda and the phones are super busy: always a long time listening to the same tape over and over, and then a rushed receptionist to take my details.
It’s so much easier to go on line and at my leisure look over all the available days and times for my doctor.
It’s free to me. And I get reminders, which the clinic didn’t offer.
The terms of Service are the usual ones, including that it is my responsibility to keep my Login safe and report any security issues…


I noted that my partners GP uses HotDoc.
When I search for the practice with Google HealthEngine is returned at the top of the list.
This is ahead of the practice web link and higher again than HotDoc.

That is a negative sign for me concerning HealthEngine and positioning in the market place.

It may be useful for consumers to have a more informed assessment of the different online booking services, privacy and services offered?
Choice to consider perhaps @BrendanMays?

My GP is at a different practice and uses HealthEngine! And had done for some time preceding last years breeches.


‘surprisingly cheap’ … with a massive ‘hidden cost’ passed on to the customer …

The document attached to the ACCC release is staggering - I’d thought it a good idea to extract relevant information from it, but there is so much!

What this organisation did with publishing reviews is beyond unconscionable …

Interestingly the revenue information has been withheld - and it took a rather large black mark to do it:

I wonder where the data went after the brokers got hold of it?

Let’s hope the punishment fits …


Yes, I agree @ mark_m
But it’s just that HotDoc is the one my clinic uses for online bookings.
Of course our personal details are at risk in most places we attend: when going in the clinic I’m asked if my phone number is still… for all to hear, and if I make an appointment while I’m there I’m asked for my birthdate for all to hear.


From (in part - hi-lighting mine):

HealthEngine founder and CEO Dr Marcus Tan says the company is working hard to rebuild trust. (Image: HealthEngine)

The competition regulator is seeking penalties, declarations, corrective notices and an order for HealthEngine to review its compliance program. It has also applied for an order from the court that would require HealthEngine to contact affected consumers and provide details of how they can regain control of their personal information.

HealthEngine founder and CEO Dr Marcus Tan responded to the ACCC by stating the business had either discontinued or overhauled this services more than a year ago, before it was formally advised of any investigation.

‘Our rapid growth over the years has sometimes outpaced our systems and processes, and we sincerely apologise if that has meant we have not always met the high expectations of us,’ he said.

‘HealthEngine is confident that no adverse health outcomes were created and that personal information was not shared with referral partners unless the individual had expressly requested to be contacted.

‘We are working hard to rebuild the trust we’ve lost with patients and practices.’

The online booking service discontinued its ‘third-party referral service’, patient reviews and third-party banner advertising in July last year.

In an email to newsGP , Dr Rob Hosking, Chair of the RACGP Expert Committee – Practice Technology and Management (REC–PTM), referred to the RACGP online appointment technology factsheet as a resource GPs could use if they have ongoing concerns and pointed out there are a number of other online booking service providers.

‘formally advised’ - suggesting they were ‘informally advised’?

Their ‘rapid growth’ also outpaced their ethics?

No adverse health outcomes, but a few adverse privacy outcomes one could suggest …


Thanks for the tag, I’m sure the topic will be of interest to staff working in this area. I’ll be sure to flag it.


are they still partners with My Health Record?


The CEO and directors should be in jail. Fines won’t achieve anything because - as Facebook has continually shown - they simply become a cost of doing business where they earn far more from breaking the law than what the fines cost them.