In a decision handed down in Australian Competition and Consumer Commission (ACCC) v Health Engine Pty Ltd (HealthEngine) on 20 August 2020, the Federal Court of Australia ordered that HealthEngine pay a whopping $2.9 million in penalties for engaging in misleading and deceptive conduct regarding the sharing of patient personal information and publishing misleading patient reviews and ratings.
HealthEngine and its conduct
HealthEngine operates Australia’s largest online health marketplace, used by over a million consumers every month. It hosts an online directory listing over 70,000 health practices and practitioners across Australia and facilitating bookings by consumers for services provided by those health practices.
HealthEngine admitted that from April 2014 to June 2018 it disclosed non-clinical personal information, such as names, dates of births, phone numbers and email of addresses of more than 135,000 patients to third party private health insurance brokers, without adequately disclosing this to consumers. It earned close to $2 million from its arrangements with brokers during this period.
It also admitted to manipulating 3,000 consumer reviews by removing negative comments on health practitioners, and failing to publish an additional 17,000 reviews.
Findings and orders
The Court found that HealthEngine’s manipulation of reviews, resulting in failure to disclose other patient experiences with practitioners listed on the platform, may have resulted in patients making ill-informed decisions and choosing providers they may have otherwise avoided. HealthEngine benefited financially from this conduct, receiving referral fees from health practitioners listed on its platform, as well as its fees from insurance brokers.
As HealthEngine admitted liability for its conduct, the only issue at hand was that of remedy.
Apart from the $2.9 million fine, the ACCC ordered HealthEngine to engage in an independent annual review of its existing compliance program for a period of three years and to implement any changes identified as necessary by an independent reviewer.
HealthEngine is also required to contact patients whose personal information was provided to an insurance broker during the four-year period, informing them of the fact that their information had been provided to an insurance broker, the identity of each such broker, the nature of the referral conduct and the fact that the Court has found the conduct to be in contravention of the Australian Consumer Law. HealthEngine is also required to provide instructions as to how the patient can request that his or her Personal Information be deleted.
This case demonstrates the significant and increasing involvement of the ACCC in regulating privacy issues. While the Privacy Commissioner/Office of the Australian Information Commissioner remains the primary regulator of privacy issues, the ACCC is not reluctant to bring actions for serious privacy breaches where misleading and deceptive conduct is a major element.
Privacy policies need to actually reflect the organisation’s privacy practices, and if those practices change the policies should be amended accordingly.
Further, businesses that publish consumer reviews must be careful not to manipulate or cherry pick those reviews so as to misrepresent the range of consumer experiences.
For more information, or advice in relation to your obligations under the Competition and Consumer Act or Privacy Act, please contact:
|Jeremy Goldman, Principal Lawyer|
Head of Commercial and Corporate
T (03) 8600 8886
|Daniel Kovacs, Principal Lawyer|
Co-Head of Intellectual Property and IT
T (03) 8600 8859
|David Weinberger, Principal Lawyer|
Head of Litigation and Dispute Resolution
T (03) 8600 8863
|Roger Rothfield, Special Counsel|
T (03) 8600 8895
This Competition and Consumer Law update was authored by Daniel Kovacs, Principal Lawyer.
Note: This update is a guide only and is not intended to constitute legal advice.