Case note: when a referral is a privacy breach as well as misleading conduct

In Australian Competition and Consumer Commission v HealthEngine Pty Ltd [2020] FCA 1203 the Federal Court of Australia ordered that HealthEngine pay to the Commonwealth of Australia a total pecuniary penalty of $2,900,000, in respect of HealthEngine’s contraventions of sections 29 and 34 of the Australian Consumer Law relating to failing to disclose its health insurance referral arrangements which included disclosing patients’ personal information to brokers, as well as false or misleading representations on its website about its reviews and conduct that was liable to mislead the public.

The penalty was calculated as follows:

  • $1.4 million in respect of the contraventions arising from its referrals to brokers;
  • $1.2 million in respect of the contraventions arising from representations that its reviews were genuine;
  • $300,000 in respect of the contraventions arising from representations that patient feedback was not edited.

HealthEngine operates Australia’s largest online health marketplace. It hosts an online directory listing over 70,000 health practices and practitioners across Australia, and facilitating bookings by consumers (patients) for services provided by those health practices. HealthEngine also published reviews and ratings to enable patients to identify health practices.

HealthEngine admitted that it published feedback received from patients on HealthEngine’s website at or mobile phone app but HealthEngine did not publish negative patient reviews, and edited patient feedback or embellished it so that they appeared more positive before it was published.

HealthEngine failed to disclose to consumers on its platforms that it engaged in that practice, and represented that the Patient Reviews published on the Platforms in connection with health practices and practitioners across Australia were an accurate reflection of the Patient Reviews HealthEngine received from Patients about the Health Practices.

HealthEngine had arrangements with nine different private health Insurance Brokers for which it received fees for referring patients to them. HealthEngine provided the Insurance Brokers with Patients’ non-clinical personal information.

HealthEngine collected this non-clinical personal information each time a Patient booked an appointment with a Health Practice using the Platforms or a HealthEngine widget. As part of the online booking process, HealthEngine asked Patients whether they had private health insurance. Patients were also asked whether they wished to receive a call about health insurance comparison services or to assess the Patient’s private health insurance needs.

It was not necessary for Patients to answer these questions but if a Patient answered “yes” to receiving a call, and then booked an appointment with a Health Practice, HealthEngine provided the Patient’s non-clinical personal information to an Insurance Broker.

HealthEngine used language which did not make it adequately clear that a third party (rather than HealthEngine) would provide the relevant services to Patients. Further, HealthEngine did not make it adequately clear that, if the Patient answered “yes”, the Patient’s non-clinical personal information would be sent to one of the Insurance Brokers.

In the relevant four year period, HealthEngine’s total revenue from referral fees for 135,000 patients was over $1.8 million.

Personal Information was provided to an Insurance Broker may have included some or all of the following: the Patient’s name, phone number, email address, date or year of birth, appointment time, type of health care practice the Patient had made a booking with (e.g. GP, chiropractic or dentistry), and/or whether or not the patient had private health insurance (and if so, the provider).

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

Print Friendly, PDF & Email

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.