In a decision handed down in Australian Competition and Consumer Commission (ACCC) v Health Engine Pty Ltd (HealthEngine) on 20 August 2020, the Federal Court of Australia ordered that HealthEngine pay a whopping $2.9 million in penalties for engaging in misleading and deceptive conduct regarding the sharing of patient personal information and publishing misleading patient reviews and ratings.
HealthEngine and its conduct
HealthEngine operates Australia’s largest online health marketplace, used by over a million consumers every month. It hosts an online directory listing over 70,000 health practices and practitioners across Australia and facilitating bookings by consumers for services provided by those health practices.
HealthEngine admitted that from April 2014 to June 2018 it disclosed non-clinical personal information, such as names, dates of births, phone numbers and email of addresses of more than 135,000 patients to third party private health insurance brokers, without adequately disclosing this to consumers. It earned close to $2 million from its arrangements with brokers during this period.
It also admitted to manipulating 3,000 consumer reviews by removing negative comments on health practitioners, and failing to publish an additional 17,000 reviews.
The ACCC commenced its investigation in July 2018 and began proceedings in 2019 in the Federal Court. It succeeded in claiming that HealthEngine had deprived consumers of the option to control how their personal information was disclosed to insurance brokers, as it had not mentioned these disclosures in its privacy policy nor did it otherwise obtain consent from consumers to such disclosures.
Findings and orders
The Court found that HealthEngine’s manipulation of reviews, resulting in failure to disclose other patient experiences with practitioners listed on the platform, may have resulted in patients making ill-informed decisions and choosing providers they may have otherwise avoided. HealthEngine benefited financially from this conduct, receiving referral fees from health practitioners listed on its platform, as well as its fees from insurance brokers.
As HealthEngine admitted liability for its conduct, the only issue at hand was that of remedy.
Apart from the $2.9 million fine, the ACCC ordered HealthEngine to engage in an independent annual review of its existing compliance program for a period of three years and to implement any changes identified as necessary by an independent reviewer.
HealthEngine is also required to contact patients whose personal information was provided to an insurance broker during the four-year period, informing them of the fact that their information had been provided to an insurance broker, the identity of each such broker, the nature of the referral conduct and the fact that the Court has found the conduct to be in contravention of the Australian Consumer Law. HealthEngine is also required to provide instructions as to how the patient can request that his or her Personal Information be deleted.
Lessons learned
This case demonstrates the significant and increasing involvement of the ACCC in regulating privacy issues. While the Privacy Commissioner/Office of the Australian Information Commissioner remains the primary regulator of privacy issues, the ACCC is not reluctant to bring actions for serious privacy breaches where misleading and deceptive conduct is a major element.
Businesses need to be mindful of their privacy obligations, have clear and consistent privacy policies, and act in accordance with those policies. It is not enough to prepare and publish a privacy policy — the organisation must continue to abide by it.
Privacy policies need to actually reflect the organisation’s privacy practices, and if those practices change the policies should be amended accordingly.
Further, businesses that publish consumer reviews must be careful not to manipulate or cherry pick those reviews so as to misrepresent the range of consumer experiences.
Businesses should seek legal advice in relation to their obligations under the Privacy Act regarding the collection and handling of personal information and ensure that they have an effective and up to date privacy policy. We have extensive experience in preparing such policies and advising on the requirements of both the privacy legislation and the Australian Consumer Law.
More information
For more information, or advice in relation to your obligations under the Competition and Consumer Act or Privacy Act, please contact:
Jeremy Goldman, Principal Lawyer Head of Commercial and Corporate T (03) 8600 8886 E jgoldman@kcllaw.com.au | Daniel Kovacs, Principal Lawyer Co-Head of Intellectual Property and IT T (03) 8600 8859 E dkovacs@kcllaw.com.au |
David Weinberger, Principal Lawyer Head of Litigation and Dispute Resolution T (03) 8600 8863 E dweinberger@kcllaw.com.au | Roger Rothfield, Special Counsel T (03) 8600 8895 E rrothfield@kcllaw.com.au |
Author
This Competition and Consumer Law update was authored by Daniel Kovacs, Principal Lawyer.
Note: This update is a guide only and is not intended to constitute legal advice.