On 20 August 2020, the ACCC obtained a Federal Court order fining a health tech company $1.4 million for misleading and deceptive conduct relating to disclosures of personal information. (Note that the total fine was $2.9million but the remainder related to other misconduct)
In addition to the fine, HealthEngine (HE) was also ordered to engage an independent auditor of their compliance program for three years; and contact patients whose personal information was provided to an insurance broker informing them of the following matters:
- the fact that their personal information was provided to an insurance broker,
- the identity of each insurance broker to whom that patient’s personal information was provided,
- the nature of the conduct,
- the fact that the Court found the conduct to be in contravention of the ACL, and
- and instructions as to how the patient can request that his or her personal information be deleted.
The relevant conduct
HE operates a website at http://www.healthengine.com.au and mobile app which allowed patients to make bookings with and review clinicians.
HE had arrangements with different private health insurance brokers for which it received fees for referring patients to them. HE provided the insurance brokers with patients’ non-clinical personal information. They collected this information each time a patient booked an appointment with a Health Practice using their Platforms or a HE widget.
As part of the online booking process, HE asked patients whether they had private health insurance. Patients were also asked whether they wished to receive a call about health insurance comparison services or to assess the patient’s private health insurance needs.
It was not necessary for patients to answer these questions but if a patient answered “yes” to receiving a call, and then booked an appointment with a medical practice, HE provided the patient’s non-clinical personal information to an insurance broker.
the ACCC alledged, and it was accepted, that HE used language which did not make it adequately clear that a third party (rather than HE) would provide the relevant services to patients. Further, HE did not make it adequately clear that, if the patient answered “yes”, the patient’s non-clinical personal information would be sent to one of the insurance brokers. Accordingly, this was misleading and deceptive conduct under the Australian Consumer Law and so HE was fined by the ACCC.