HealthEngine has notified the Office of the Australian Information Commissioner that the identifying details of 75 of its users had been exposed, with those affected informed by the company on Friday in line with the Notifiable Data Breach Scheme.

The latest revelation follows an Australian Medical Association statement supporting the investigation announced by Health Minister Greg Hunt in late June into the scandal-plagued platform’s sharing of patient data with third parties, with the AMA claiming it also has concerns about the practices of other digital health companies.

But HealthEngine founder and CEO Dr Marcus Tan has continued to claim patients provided “express consent” to have their information shared, including with a personal injury law firm, while conceding that his company would soon announce changes to its business model.

The saga began in June when Fairfax Media revealed that 53 per cent of the "positive" patient reviews of medical practices published on the online healthcare appointment booking platform had been edited, some drastically. The report was based on an analysis of the original and edited versions of 47,898 reviews that were visible via the HTML source code on the HealthEngine site. Of those, 75 contained identifying information.

Tan said in a statement that the published patient feedback function had been shut down and would not be reinstated until the problem had been corrected.

“Due to an error in the way the HealthEngine website operated, hidden patient feedback information within the code of the webpage was improperly accessed. This information is ordinarily not visible to users of the site,” Tan said.

He said the company, which is backed by Telstra, Google and Seven West Media, had worked around the clock to investigate how the breach occurred, who was affected and how to respond.

“We take data security very seriously, and acted swiftly and decisively when we became aware of the breach, to identify the error and shut down the published patient feedback function of the Patient Recognition System on the website.”

Meanwhile, following an ABC investigation that exposed the company for funnelling the private patient information of hundreds of patients to legal firms searching for personal injury cases, Health Minister Greg Hunt ordered an "urgent review".

The AMA’s President Dr Tony Bartone responded on Friday and said the doctors’ advocacy group is concerned about any irregularities or threats related to patient privacy, patient consent, the organisation’s code of ethics and medical ethics more broadly by HealthEngine and other companies.

“We also have concerns about anything that could diminish community trust in the medical profession and any actions that may undermine public confidence in embracing electronic health initiatives, which the AMA strongly supports,” Bartone said.

“There is also the serious matter of the potential of third parties to profit from having access to confidential and private patient information.

“The AMA’s concerns extend beyond HealthEngine to other apps, websites, and services, currently being promoted by commercial entities and health sector bodies, which raise similar questions about privacy and ethics."

Tan, however, has maintained a crisis communications strategy that has included posting a video statement on the HealthEngine website defending the company’s conduct and reinforcing that My Health Record data wasn’t at risk.

“As a doctor I am very conscious about the sensitivity of patient information and health information. I want to reassure our users that no personal information is passed on to third parties without your express consent or within the circumstances of our privacy policy,” Tan said in the footage.

“So obviously HealthEngine is a booking system primarily and you can definitely use that system without having to opt in to any other third-party referrals. HealthEngine is one of the few Australian health technology companies that has worked with the government to be able to contact through to the My Health Record, which is a very important piece of national infrastructure. I want to absolutely stress to our users that whilst we have that connection we do not have any ability to view what’s in that record and therefore obviously do not share that information to anyone.”

In another statement uploaded to the homepage of the “largest Australian healthcare online marketplace”, which is used by almost 2 million users a month, Tan said he has written to GP practices and health industry peak bodies to “put the record straight and reassure them with respect to recent media reports about HealthEngine’s management of user data”.

Tan claimed that media reports “had created the incorrect impression that the health and personal information of HealthEngine users is being widely shared with third parties without their knowledge. This simply is not true”.

Users, he said, could elect to have their details provided to third parties.

“HealthEngine has referral and advertising arrangements in place with a range of industry partners, including government, not for profit, medical research, private health insurance and other health service providers.

“Referrals do not occur without the express consent of the user.”

But Tan conceded that the series of scandals had damaged the sector’s reputation.

“We at HealthEngine are devastated by the developments of recent weeks because we feel our mission of a connected healthcare ecosystem that empowers the world’s best care experiences and the cause of digital health in Australia as a whole has been set back.

“As we have grown to serve millions of Australians every year and help them get better access to healthcare, we have invested heavily to scale our systems, people and processes to accommodate our growth and recognise the impact we now have.

“Nevertheless, we acknowledge that, despite being well intentioned and trying to innovate in health care, recent media coverage has damaged the trust we have built up over many years with our users, customers and industry partners.”

Tan said the company had heard the feedback from customers and users that they are concerned about data privacy and is changing its practices.

“In order to restore the public’s confidence in HealthEngine’s management of user information, HealthEngine has decided to make substantial changes to its business model around advertising and referrals.”

An announcement on the new direction is expected to be made within the week.

“We sincerely hope that by taking the steps we are about to take and by being open to more feedback and learning that we can regain that trust and continue to have the opportunity to deliver value to the healthcare sector and millions of our users in better ways than we have done before,” Tan said.

To share tips, news or announcements, contact the HITNA editor on




White papers