The digital health sector’s interpretation of patient consent and its use of people’s health data has been placed under increased scrutiny with claims HealthEngine has brought the medical profession into disrepute and behaved with impunity following the company’s latest scandal.

The future of Australia's most successful online GP appointment booking service appears uncertain after patients and doctors rose to condemn its privacy practices and the Health Minister Greg Hunt ordered an "urgent review" following an ABC investigation that exposed the company for funnelling private patient information to legal firms searching for personal injury cases.

Hundreds of patients were ensnared in the practice by the Perth-based start-up, which is part-owned by Telstra, Google and Seven West Media, with secret documents obtained by the ABC from law firm Slater and Gordon revealing HealthEngine was providing a daily list of patients who had booked appointments via the platform and met certain criteria within a "referral partnership pilot".

It provided an average of 200 potential clients per month during a six-month period in 2017, with 40 people taking on Slater and Gordon to represent them, contributing a projected $500,000 in legal fees. According to the ABC, the referrals to Slater and Gordon were made via Bannister Law, which held a contract with HealthEngine.

A spokesperson for Federal Minister for Health Greg Hunt said the government has requested the Office of the Australian Information Commissioner and the Australian Digital Health Agency investigate the issue.

But subsumed by a public relations catastrophe as media interest grew and Twitter erupted with criticism today, HealthEngine responded by refusing interviews and refuting the allegations on its homepage and social media.

In a statement, HealthEngine founder and CEO Dr Marcus Tan claimed the company had only shared information with third parties with patients’ “express consent”.

“We respect the privacy of our users and appreciate the trust they place in us,” Tan wrote.

“I would like to reassure users that HealthEngine does not provide any personal information to third parties without the express consent of the affected user or in those circumstances described in our privacy policy.

“We do have referral arrangements in place with a range of industry partners including government, not for profit, medical research, private health insurance and other health service providers on a strictly opt-in basis.

“These referrals do not occur without the express consent of the user.”

Tan claimed the voluntary opt-in process is “not hidden in our policies” and is an additional service designed to help patients access services “they request at relevant stages of their health journey”.

HealthEngine’s privacy policy doesn’t mention that information could be shared with third parties for marketing purposes, instead a "Collection Notice", which users must accept to confirm a booking, says:

“If you consent, we may also provide your personal information to providers of other products and services which may be of interest to you, such as private health insurance comparison services, providers of finance credit for cosmetic and dental procedures, and providers of legal services.”

HealthEngine has been an Australian digital health success story, attracting 2 million unique visitors each month and 8000 health practitioners including GPs, dentists, physiotherapists, optometrists and other health practitioners signed up to the system.

The company, which was exposed earlier this month in a Fairfax investigation for tampering with online reviews of GP practices, is one of five authorised third- party apps which provides consumers with secure ’view only’ access to their My Health Record.

[Read more: Online GP booking giant apologises and removes patients’ reviews of clinics after it’s caught deleting negative commentsUS law firms to send geofenced ads to ER patients' smartphones spruiking for personal injury cases]

According to a spokesperson for the Australian Digital Health Agency, which in July will begin the three month opt-out process for My Health Record, these authorised apps do not permit any storage of My Health Record information on their systems and they are prohibited from passing the information onto a third party.

“All third party app providers which offer customers the ability to view their My Health Record through their app must undergo strict assessment and are authorised and contracted under a Portal Operator Agreement. Consumers must download and explicitly consent to an authorised app connecting to their My Health Record and at any time are able to withdraw this consent,” the ADHA spokesperson said.

But this latest HealthEngine scandal has sparked an avalanche of concerns online about issues of consent and the level of respect held within some digital health companies for the long-held privacy principles of the medical profession.

Writing in The Guardian, oncologist and commentator Dr Ranjana Srivastava claimed HealthEngine should be ashamed of conduct that is out of step with healthcare practice.

“How many euphemisms for deception do patients deserve? For a business that claims to put patients at the centre of care, where, pray, is that centre?”

Srivastava says the implications for behaviour such as altering reviews to make them more positive brings the industry into disrepute.

“In doing so, HealthEngine has also managed to score an own goal against the entire medical profession which is battling to save its reputation amid damning allegations over cost, access and quality of care. If trust in doctors is failing, the unethical actions of HealthEngine have nudged it lower.”

Meanwhile, in an extraordinary statement the Australian Dental Association has claimed: “It’s not just HealthEngine”, and urged for greater scrutiny of the activities of Whitecoat, a health service provider directory.   

“Whitecoat purports to be an independent means for the public to search for healthcare providers, but the fact that three health funds have significant shared ownership of this service and has representation on its Board raises real questions. The ADA is concerned about conflicts of interest,” ADA President Dr Hugo Sachs said.

He said consumer searches for local health providers list results based in part on whether providers have paid Whitecoat a monthly fee. Whitecoat’s moderation policy also gives it the right to edit, remove or not publish patient reviews, which the ADA claimed “puts it in a position to favour dentists contracted to those three health funds”.

Sachs claimed the ADA was aware of cases in which Whitecoat’s reviews had displayed positive reviews and ratings for practitioners who had been suspended by the Australian Health Practitioner Regulation Agency.

He called on government regulators to closely monitor the content on Whitecoat and said the onus should not be placed on consumers to trawl through the fine print of apps and online services.

“Informed consent is a key principle in healthcare and should extend to online services seeking to link consumers to healthcare providers. Consumers’ health information is particularly sensitive. As a bare minimum, there should be a legislative requirement giving consumers the ability to opt out of sending their health data to third parties for commercial purposes,” Sachs said.

The Consumers Health Forum said the HealthEngine revelations raised “disturbing” questions about the potential hazards for the privacy and security of online medical information.

“We are all eager to see our experience of the health system improved by digital solutions: there is much we can all benefit from. Health has lagged behind other services sectors for too long in this regard,” Consumers Health Forum CEO Leanne Wells said.

“This is a negative development for patients and doctors and a blow to community confidence in the potential benefits use of digital has for the community.” 

Wells claimed practitioners using HealthEngine needed to ensure that patient data was protected from marketing practices, and she criticised the online portal’s “questionable” practice of seeking information about patient symptoms when appointments were booked.

“Why should a booking service seek such information?

“These are serious questions for medical practitioners and their patients and indicate there is a fine balance that needs to be struck between reaping the benefits of a digital health future with the rights of patients to privacy and protection of their health information. Consumer confidence and trust is paramount,” Wells said.

To share tips, news or announcements, contact the HITNA editor on




White papers