Governance & Risk Management , Privacy
Australia's HealthEngine Caught in Data-Sharing Fiasco
Medical Appointment Booking Platform Says It Obtains ConsentAustralia largest medical booking platform, HealthEngine, shared private medical data with a law firm specializing in personal injury, the ABC reported on Monday.
See Also: Data Privacy Compliance and Third-Party Management: A Unified Approach
A pilot referral program passed an average of 200 potential clients a month from HealthEngine to the law firm Slater and Gordon last year between March and August, the broadcaster reported.
HealthEngine maintains that the sharing, which marketers refer to as lead generation, was done with users' consent. But the ABC reports that users have no way to opt out of their data being collected or shared in this manner.
This is disgraceful. I've asked my practice manager to remove the ability to book appointments for me off HealthEngine. https://t.co/s6HSdTaDzo via @ABCNews
— Ines Rio (@InesRio1) June 24, 2018
HealthEngine CEO Marcus Tan, in a statement published on the company's website Monday, says that his company previously provided information to law firms with consent, but now has "no referral arrangements in place with marketing agencies or law firms."
But the company does "have referral arrangements in place with a range of industry partners including government, not-for-profit, medical research, private health insurance and other health service providers on a strictly opt-in basis," Tan writes.
The ABC's story has caused a stir, both among consumers who have used the booking service and medical professionals.
"Patients trust doctors," writes Vyom Sharma, a general practitioner based in Melbourne, Australia, on twitter. "We should take control of appointments through a centralized, connected system that won't sell details to 3rd parties. HealthEngine etc. are a Faustian deal. Patients lose personal info, clinics relinquish price control."
Ines Rio, a general practitioner and chair of the North Western Melbourne Primary Health Network, writes: "This is disgraceful. I've asked my practice manager to remove the ability to book appointments for me off HealthEngine."
The Office of the Australian Information Commissioner, which enforces the country's Privacy Act, tells Information Security Media Group that it "is aware of media reports regarding the app HealthEngine, and is making enquiries with HealthEngine about the details of those reports."
Fully Informed Consent?
HealthEngine, started in 2006 in Perth, Australia, is an online booking platform for consumers and a booking engine for medical practices. The company says it connects 1 million patients a month with some 8,000 health practitioners. The service is free for patients, and it offers a paid-for booking platform for practices.
But in the background of handling bookings, HealthEngine also appears to be a data broker. Its privacy policy states that it may share data with third-party providers, including IT services companies, research services, lawyers and auditors.
HealthEngine also says it may "disclose de-identified information of our users to third parties for analysis, research and quality assurance purposes."
Tan's statement included an example screenshot of the pop-up that HealthEngine displays to gain a user's consent.
Despite HealthEngine disclosing its practices via its privacy policy and the pop-up box, the ABC's story has struck a nerve with the public, as consumers become increasingly aware of the murky trade in data that comes in parallel with free services. These practices also raise questions about whether consumers are truly aware of the implications of their consent.
"There's a term for this disgraceful behavior where you either consent to loss of privacy or don't get the service - it's called bundled consent, and it's time it was outlawed," writes Greens Party MP David Shoebridge on Twitter.
Electronic Frontiers Australia, a digital rights watchdog, criticized HealthEngine in a statement, alleging it shares data on the "flimsiest pretense of patient consent."
"If this ethically dubious behavior is technically legal, then Australia's privacy legislation must be changed," says Justin Warren, who is an Electronic Frontiers Australia board member.
Read Closely: Privacy Policy
As part of the registration and booking process, HealthEngine asks for a variety of sensitive information, "including whether they have suffered a workplace injury or been in a traffic accident," the ABC reported.
The ABC reported that it viewed secret documents showing that the Sydney-based law firm Bannister Law held a contract to pass on referrals from HealthEngine. The law firm Slater and Gordon received the HealthEngine referrals from Bannister Law, it reported.
In a statement, Slater and Gordon says it ensures marketing activity it undertakes "is compliant with applicable laws."
The firm adds: "Slater and Gordon has acted and continues to act in accordance with all its legal and ethical obligations regarding its marketing activities."
Many HealthEngine users have expressed surprise at the ABC's report and HealthEngine's background trade in data.
"The really shit thing about @healthengine hawking my data, is that it didn't even occur to me that my data was the product," Chris Cook, a web application developer based in the Australian city of Canberra, writes on Twitter. "They're embedded in my GP's website as an iframe (with minimal branding), leveraging my trust in my GP to get my data."
But another user contended people should have paid more attention to HealthEngine's privacy policy.
"I've used @healthengine," writes Ron Baumann of Sydney in a tweet that subsequently appears to have been deleted. "The site makes it perfectly clear they pass personal info on. Only an absolute idiot could miss that. People can choose either to agree or not. Move on. Nothing to see here."
HealthEngine Responds
The ABC reports that HealthEngine's mobile app contains a "collection statement" that says if users consent, their information can be passed on to private health insurance comparison services, credit services for cosmetic and dental procedures and legal service providers.
But the broadcaster contends that "there is no opportunity to opt out of terms in the collection statement if patients want to use the app."
HealthEngine disputes this. While efforts by ISMG to reach HealthEngine were unsuccessful, the company has been busy on Twitter trying to respond to users' queries via identical statements that contest the ABC's assertions.
HealthEngine's response reads: "Contrary to the ABC report's suggestion, consent to these referrals is not hidden in our policies but obtained through a simple pop-up form at the time of booking or provided verbally to a HealthEngine consultant.
"Users are able to continue to use our booking services even if they do not provide their express consent to being contacted by a referral partner through the pop-up form," HealthEngine writes. "Hope this has helped clarify things."