3rd Party Risk Management , Governance & Risk Management , Incident & Breach Response
HealthEngine Offered $25 Gift Vouchers for Dental Invoices
Patients, Dentist Alarmed By HealthEngine, Which Claims It Had ConsentAustralia's HealthEngine offered AU$25 (US$19) gift vouchers to dental patients who sent photos of their treatment invoices to the company, which it positioned to patients as "invaluable" research that benefited itself.
See Also: Gartner Market Guide for DFIR Retainer Services
The medical booking platform, which is now embroiled in a privacy controversy, contacted three patients in June 2017 after their appointments, says Shawn Rama, who runs a dental practice, The Dental Room, in North Balwyn, Victoria.
The patients had booked appointments using HealthEngine, which is a web-based directory of medical services. Rama says that neither he nor his patients were aware that HealthEngine believed it had consent for such activity.
"I wasn't very happy about that," Rama says. "The clients complained to me and said, 'Is this the right thing to do?' They were a little bit alarmed."
Rama says he had little knowledge of the company's data-driven marketing practices when he signed up to the platform in early 2017. Rama, who stopped using HealthEngine after the incident, says he takes patient confidentiality seriously and feels his dental fees are confidential.
"I feel my costs are my private information, and I didn't sign up [with HealthEngine] for that information to be shared," he says.
Probably Legal, But...
Some privacy experts say HealthEngine's collection of invoices is probably legal. But they warn that the way HealthEngine went about obtaining consent likely contravenes elements of Australia's Privacy Act. The act governs how organizations can collect data and what they must communicate to people when doing so.
They also say that HealthEngine's data collection practices raise complex trust issues between patients and medical providers. The company's reliance on overly broad privacy and data collection policies may be hewing to the letter of the law, but does not have the intended effect, they contend.
"You can see how if people running these kinds of apps contact patients, that makes patients upset with the practice even if the practice hasn't done anything wrong," says Belinda Reeve, a lecturer in health law at the University of Sydney.
In a statement provided to Information Security Media Group, HealthEngine CEO Marcus Tan contends that the company has a "direct relationship" with its users. Those users, he says, were contacted in accordance with its privacy policy and terms of use and asked if they wanted to participate in the research.
"The policy expressly states that we can use information to communicate with users about products and services of HealthEngine," Tan says. "From time to time, like many other organizations, we conduct customer research to enable us to better understand our users and the goods and services we provide. This has previously involved conducting research into pricing for certain health services."
Under Investigation
HealthEngine is already under investigation by the Office of the Information Commissioner, which enforces the Privacy Act (see Australia's HealthEngine Caught in Data-Sharing Fiasco).
That investigation was launched after the broadcaster ABC reported on June 25 that HealthEngine transferred personal details of people who had booked appointments to personal injury lawyers, part of what marketers call a lead-generation program or third-party referrals. The referrals were based upon health information provided by patients.
HealthEngine maintains that users could have opted out of having their personal details shared with third parties. But the company's application does not appear to let users book appointments without consenting to having their information shared.
As a result of the ABC report, patients and medical professionals criticized HealthEngine. On Thursday, CEO and co-founder Marcus Tan announced that the company was ending its third-party referral service as well as banner advertising on its service.
"We hope to rebuild this trust to allow us to continue to do more of the good work we have done in improving the healthcare experience of millions of Australians," Tan writes.
Despite defending the company's practices since the privacy controversy flared, Tan writes that HealthEngine will "give users greater visibility and control over the way we manage their personal information." An advisory group will also be established that's intended to work closer with health providers, consumer bodies and regulators.
Tan writes that HealthEngine will no longer allow patients to write reviews of practices, a feature it called the Practice Recognition System. Fairfax Media found that HealthEngine had been rewriting negative reviews to positive ones.
Then on June 29, HealthEngine reported a data breach related to the reviews system. It said the personal information of 75 reviewers were exposed as a result of a coding error in the website (see HealthEngine's Latest Problem: A Data Breach).
Myer Gift Voucher
The premise under which HealthEngine contacted Rama's patients raises a host of layered, nuanced questions related to the Privacy Act, experts say.
HealthEngine called the patients after their appointments. If the patients consented, they received an email asking for the dental invoice. If the invoice was provided, HealthEngine would give the patient a AU$25 gift voucher for Myer department stores within 72 hours.
One issue is the initial phone call to patients, says Katherine Sainty, founder of Sainty Law and a lawyer who specializes in technology and media law. Patients would have only divulged their contact details for the specific purpose of booking an appointment, she says.
HealthEngine disagrees. In a statement, it tells ISMG: "The Privacy Act allows for personal information to be used not only for the primary purpose for which it was provided but also for secondary purposes."
The rules around secondary use of data fall under Australian Privacy Principle 6.
That phone call may have actually offended a number of the 13 Australian Privacy Principles, which require transparency around the use of data, Sainty says. "You're supposed to tell people what you are collecting and what you are going to do with it," she says.
Telling users that the invoice data is needed for "research" alone is not enough, Sainty says. If the data is actually being collected to help HealthEngine drive its business better, then HealthEngine "is trading on ambiguity," she says.
The University of Sydney's Reeve says there are stringent guidelines around health research developed by the Privacy Commissioner. "You have to show it's not just research to make your app better," Reeve says.
Failing On Trust?
The surprise expressed by patients and Rama at HealthEngine's actions also signals that while the company may be complying with the letter of the law, it is failing on trust.
"You've got a mismatch and misunderstanding of that softer requirement - the community expectation or even the ethical expectations," Sainty says.
Melanie Marks, principal of the Sydney-based privacy and cybersecurity consultancy elevenM, says the email to Rama's patients does not appear to pass muster.
"That's not a valid consent and not a valid privacy notice," Marks says. "Just because you pay money for information doesn't mean you can eschew your obligations to be transparent under the Privacy Act."
Rama shared with ISMG emails he exchanged with HealthEngine after he complained. HealthEngine was collecting dental invoices "to allow us to better understand how we should position our own fees and charges related to such services," according to a product manager. The manager indicated the dental invoice collection program had ended by June 2017.
The dental information would be extremely valuable, Sainty says. It could indicate how often people go to a dentist for certain procedures and allow for marketing activities to remind people six months out, for example, to book a checkup. Also, a report on pricing practices of dental services would be very useful for clinics, Sainty says.
Where The Money Is: Personal Data
Investors have put tens of millions of dollars into HealthEngine since its founding in 2006. Last year, HealthEngine raised AU$26.7 million in a funding round led by Sequoia India, which is part of Silicon Valley's Sequoia Capital.
In 2013, Telstra Ventures and Seven West Media invested AU$5.2 million each in HealthEngine. The Australian Financial Review said in April 2017 that HealthEngine had raised close to AU$50 million, with the company's valuation likely more than AU$100 million.
Although HealthEngine is a medical booking service for patients and a software platform for practices, it is more accurately described as a sophisticated digital marketing agency.
"They [HealthEngine] openly admitted to us when I was there that they were building up a database of customer details which they said would be some of the most valuable data on the market."
—Former HealthEngine employee
Its revenue comes from a variety of advertising products, booking platform fees and, at least until last week, lead-generation programs. But according to a former HealthEngine employee with knowledge of the company's business plans, the company knew that the medical booking system wasn't "where the money was."
"They [HealthEngine] openly admitted to us when I was there that they were building up a database of customer details which they said would be some of the most valuable data on the market," says the former employee, who spoke on the condition of anonymity.
"It was openly talked about that having a database of what people had booked medical appointments for, name, age, date of birth, contact details ect. (all the info that HealthEngine requires to make a booking) would be lucrative to them," the former employee says.
Toxic Data Trade
The trade in personal data, however, has become an increasingly toxic issue. Frustration with technology giants such as Facebook, in part, propelled the Europe Union's drafting of the General Data Protection Regulation, which aims to force companies to be more transparent about their data collection and use practices.
It's unclear how much HealthEngine depends on third-party referrals that hinge on people's personal data for revenue. Such programs are valuable because they deliver sales leads of people who fit a profile as a potential purchaser of a product.
HealthEngine asks users, prior to booking a medical appointment, whether they've suffered a workplace-related injury or been in a car accident. The company sent 200 leads a month between March and October 2017 to the law firm Slater and Gordon, the ABC reported. Slater and Gordon handles personal and workplace injury cases.
HealthEngine also has robust advertising business: Patients see advertising in booking reminders, and practices see advertising in the same type of reminders. There are also a variety of email direct marketing products, including newsletters.
Its business-to-business marketing effort finds companies interested in advertising their services to clinics. HealthEngine can also target advertising at consumers who have used the HealthEngine app but are not actively using it.
That type of ad serving is known as re-targeting. A cookie, or small data file, on a user's phone or computer records when someone has visited HealthEngine.
When a user is on another website, the cookie is recognized and an ad can be served. HealthEngine says the targeting can be based on patient characteristics, such as whether or not they have private insurance. That information is again collected through surveys and polls.