Popular medical appointment booking app HealthEngine reportedly patient data with law firm

• HealthEngine said it has multiple referral agreements with a wide range of industry players
• This is the second time the service has come under fire following the "fake reviews" debacle

Popular medical appointment booking service HealthEngine has drawn flack for reportedly sharing patients' personal information with a third-party law firm. The ABC obtained documents that showed Perth-based HealthEngine was sharing users' medical information with law firm Slater and Gordon on a daily basis "part of a 'referral partnership pilot' between March and August 2017."

HealthEngine is co-owned by Seven West Media and Telstra. As part of its booking service, HealthEngine requires users to provide personal information when they sign up such date of birth, contact details and medication details. However, when booking an appointment, they are also required to include details of any medical conditions such as symptoms, whether they suffered a workplace injury or have been in a traffic accident.

The ABC reports this data was then shared with Slater and Gordon as part of the referral pilot at "an average of 200 clients a month." A total of 40 referrals reportedly became Slater and Gordon clients, earning the law firm about $500,000 of legal fees.

What information do they collect?

According to HealthEngine's privacy policy, it says it collects information such as name, date of birth, physical and email address, phone number, gender, marital status, occupation, GPS location, allergies, advance health directive, type of appointment booked and reason for booking, private health insurance fund and membership number, Medicare details and user's photograph.

Although HealthEngine stated that consent is opt-in and can choose not to opt for third-party referrals by choosing not to log in with a user account. The service does not allow users to opt-out of having their information shared with third parties.

The ABC further reported that mobile users cannot must agree and opt-in to the terms laid out in order to continue.

Who else is reading it?

HealthEngine CEO and founder Dr. Marcus Tan confirmed that the company does have referral arrangements with multiple industry partners including "government, not for profit, medical research, private health insurance and other health service providers on a strictly opt-in basis." It also stated that these referrals do no occur without users' express consent.

"I would like to reassure users that HealthEngine does not provide any personal information to third parties without the express consent of the affected user or in those circumstances described in our privacy policy," Tan said in a statement. "Contrary to the ABC report's suggestion, consent to these referrals is not hidden in our policies but obtained through a simple pop-up form at the time of booking (see below) or provided verbally to a HealthEngine consultant. Consent to these referrals is entirely voluntary and opt-in, and we do not provide any personal information for the purposes of a referral without this consent."

HealthEngine confirmed it provided referrals to law firms "under previous arrangements", but only with users' "express consent".

Tan added the referral services are "constantly under review" and are "provided as a value-add to our users who opt-in to the service, in order to help them access services they request at relevant stages of their health journey."

Slater and Gordon told 9 News that it "acted and continues to act in accordance with all its legal and ethical obligations regarding its marketing activities."

Ethical dilemma

The news comes just weeks after Fairfax reported that 53% of the 47,900 "positive" patient reviews received had been deliberately edited by the company. In some instances, the reviews had been edited to the extent that they no longer reflected the patient's original opinion.

"Negative feedback is not published but rather passed on confidentially and directly to the clinic completely unmoderated to help health practices improve moving forward," HealthEngine said in a statement at the time. "We email all patients about their reviews being published and alert them to having possibly been moderated according to our guidelines.

"User trust is paramount to us at HealthEngine and we are conducting an internal and external review of the HealthEngine Practice Recognition System to ensure clarity, compliance, and best practice regarding the way in which we review and publish patient comments."

HealthEngine has since apologized for the issue and removed the reviews.