This appeared last week:
HealthEngine cops $2.9m penalty over data misuse
By Justin Hendry on Aug 20, 2020 12:30PM
Admits to sharing patient information without their knowledge.
HealthEngine has been slapped with $2.9 million in penalties for sharing the personal information of over 135,000 patients with private health insurance brokers without their knowledge.
The company, which acts as an online booking engine and review platform for medical practices, has also admitted to holding back or manipulating patient reviews and ratings to inflate its positive image.
The Australian Competition and Consumer Commission took HealthEngine to the Federal Court late last year, alleging that it had engaged in misleading and deceptive conduct when it provided the non-clinical personal information to private health insurance brokers for a fee.
It said the information included the names, phone numbers, email addresses, and dates of birth of over 135,000 patients, which had been shared “without adequately disclosing to customers it would do so” between 30 April 2014 and 30 June 2018.
The court proceedings - which followed a 2018 data breach, in which the company said 59,600 pieces of patient feedback “may have been improperly accessed” - were also used to follow up on claims the company manipulated patient reviews published on the platform.
But the ACCC on Thursday said HealthEngine had now admitted to providing the non-clinical personal information” of patients to third-party private health insurance brokers over the four-year period, which had earned the company more than $1.8 million.
The company also admitted to “not publish[ing] around 17,000 reviews and edit[ing] around 3000 reviews to remove negative aspects, or to embellish them” between 31 March 2015 and 1 March 2018.
It similarly admitted that it “misrepresented to consumers the reasons why it did not publish a rating for some health or medical practices”.
The Federal Court ordered the company pay $2.9 million in penalties for engaging in misleading conduct and “contact affected consumers and provide details of how they can regain control of their personal information”.
HealthEngine will also contribute to the ACCC’s legal costs.
More here:
https://www.itnews.com.au/news/healthengine-cops-29m-penalty-over-data-misuse-552059
There is also coverage here:
HealthEngine fined $2.9 million for doctoring its doctor reviews
The booking site also has to write a letter of apology to 135,000 patients whose personal information it passed on to insurance brokers
20th August 2020
HealthEngine will pay a $2.9 million penalty for doctoring patient reviews of GP clinics and passing on patient information to health insurance brokers.
The Federal Court of Australia approved the penalty on Thursday, bringing an apparent end to the two-year saga.
The accusations against HealthEngine began in 2018 with claims the booking business shared 135,000 patients’ personal details with nine different insurance companies which then used the information to contact them as part of their telemarketing campaigns.
The court found HealthEngine asked patients whether they wanted to receive a call about private health insurance, but in a way that implied Health Engine was doing the calling, not that it was sharing the patients’ details with third parties.
The company was also accused of editing patients’ feedback on GP practices to make 3000 reviews look more positive.
Its other tactic was to not publish an estimated 17,000 patient reviews that may have reflected badly on practices.
And if fewer than 80% of patients gave feedback saying they would recommend a practice, the site listed the practice as having no star rating because of insufficient data.
On Thursday, Justice David Yates approved a penalty agreed between HealthEngine and the the ACCC — $1.2 million for the review manipulation, $300,000 for not publishing the low star ratings for practices and $1.4 million for sharing patients’ personal data.
HealthEngine will also have to write an apology letter signed by its CEO, Perth GP Dr Marcus Tan, to the patients whose data was shared with health insurance brokers between 2014 and 2018 (see below).
The fine will be paid in four instalments over two years and the company has also agreed to pay for compliance checks on its business for three years.
It will also pay $50,000 to cover the ACCC’s legal costs.
More here:
https://www.ausdoc.com.au/news/healthengine-fined-29-million-doctoring-its-doctor-reviews
Now I am no lawyer but it seems to me that HealthEngine has got off pretty lightly. I would see the way the company dealt with the reviews and both deceptive and fraudulent. As well it was systematic and carefully executed. I find it hard to understand how such sustained fraudulent and deceptive behaviour did not see someone in jail.
As for the apparent 135,000 privacy breaches it seems to me a much larger fine than $10 per breach might be reasonable – say $50 or $100 per breach – thinking of the scale of the penalties the OAIC has for such deliberate transgressions (often $10,000+)
All in all I reckon they got off pretty lightly. I really find the lack of ethics and moral compass really troubling. I know none of us are perfect but this behaviour seems beyond the pale in a clinically orientated company. What do you think?
David.
8 comments:
It's amazing they thought they could get away with it.
On one hand the result was an improvement on the previously suggested fine. The previous fine I recall was less than the cash they made. That said the fines should have been equal to the penalties from OAIC. What is the point of stating large fines if they are not enforced?
The cloud to this silver lining is the bar has been set, and a low bar it is. I see no deterrent for the next wave.
HealthEngine's CEO Marcus Tan apologised and said the mistakes were due to his company's growing pains. However, when it all hit the fan in 2018 I spoke to him about it and he was surprisingly arrogant. This should absolutely be a cautionary tale.
Everything changed for Marcus Tan when his raising of investment capital happened so easily and quickly. This led to a feeling of invincibility tied to his new found wealth. The ego grew out of control, integrity and moral principles were put to the test, and greed took over.
Hmm a mistake? This seemed pretty intentional to me. Chris they were in cahoots with that ambulance chasing legal firm. I know because for well over a year I kept getting calls to discuss some presumed car accident (that I was never in).
What is an intentional misdirection? While a mistake is unintentional, and an error in judgment can be both with and without intent, an intentional misdirection is all about intent.
I have so much to say about this but don't want David to be subject to a lawsuit. I will just say that Dr Marcus Tan – GP and entrepreneur - should be ashamed.
The ADHA obviously has no problem with organisations misusing personal information obtained under the guise of providing healthcare services. HealthEngine is still approved for MyHR as a mobile app.
@Sarah Conner, good point. I also note the other. Two apps have not had software releases for a longtime, almost as if they are no longer supported. Must be riddled for vulnerabilities. So must for military grade security.
Post a Comment