Security News

Multi-Million-Dollar Fine for Medical Booking App After Selling Patient Data

A multi-million dollar fine is on the cards for Australia's biggest medical appointment booking app, HealthEngine, after it was found to be selling patient data to insurance brokers.

The Australian Competition and Consumer Commission (ACCC) has launched legal action against HealthEngine in the Federal Court, accusing it of misleading and deceptive conduct.

The ACCC is accusing the company of forwarding the data - including names, phone numbers, dates of birth and email addresses - of around 135,000 patients to insurance brokers for payment. Just how much money the company earned from these dealings has not been disclosed.

"Patients were misled into thinking their information would stay with HealthEngine but, instead, (it) was sold off," the ACCC said in a statement.

The ACCC also claims that between March 31, 2015, and March 1, 2018, HealthEngine "manipulated the patient reviews it published, and misrepresented to consumers why HealthEngine did not publish a rating for some health practices. (It) disregarded around 17,000 reviews, and altered around 3,000 in the relevant time period."

The ACCC alleges that one patient submitted the review:

"The practice is good just disappointed with health engine. I will call the clinic next time instead of booking online."

But when it appeared, it was allegedly changed to:

"The practice is good."

Each breach brings with it a AU$1.1 million fine and the ACCC is yet to decide how many breaches it will pursue. The total fine, which may reach into the many millions, will prove a financial burden for HealthEngine after it posted a $13 million dollar loss for the 2017-18 financial year.

Receive a weekly security report

Join 432 others receiving a free weekly report with a round-up of vulnerabilities and security news customized to your software stack. See an example email

Earlier: