Digital platforms such as Health Engine are currently being strictly scrutinised for security breaches and other privacy violations by the Australian Competition and Consumer Commission (“ACCC”).
The ACCC has instituted legal action against health IT firm Health Engine on two grounds
- The allegation that Health Engine indulges in the practice of selective editing of reviews of health practices provided by patients thereby misleading the community. Though this practice has been discontinued in the face of severe criticism, the ACCC believe that action against the organisation is necessary for damage done;
- For an organisation like Health Engine, maintaining privacy of patient data is crucial and Health Engine breached these obligations. The ACCC alleges that Health Engine has been sharing patient data with third parties by falsely obtaining the consent of the patients and, in some instances, even without notifying them. It has been reported that Health Engine has obtained the consent of the patients by telling them that the data is required if they wish to obtain insurance.
The CEO of Health Engine has stated that the sole aim for publishing reviews is to benefit patients by assuring them of the quality of the practice they were booking with. However, this aim has been frustrated by Health Engine allegedly creating a hover link on the “no-rating” notation against health practices which, when activated, displayed the phrase - “There is currently insufficient data to calculate a patient satisfaction level”. This practice was termed as “particularly egregious” by the ACCC.
It has been further alleged by the ACCC that personal information of patients has been shared with several insurance brokers for a fee. In doing so, Health Engine used language that could lead patients to believe that Health Engine itself provides insurance services.
These actions of Health Engine have been widely condemned by ACCC on the basis that they are misleading and deceptive. The ACCC is seeking penalties and is applying for a court order that would require Health Engine to contact affected consumers and provide them with explanation as to how they can regain control of their personal information. These actions will affect many organisations engaged in similar services to that of Health Engine.