Cordato Partners, Business Lawyers, Property Lawyers, Tourism Lawyers
 

 

HealthEngine pays the penalty for misleading testimonials and privacy breaches

 

HealthEngine operates Australia’s largest online health marketplace, listing over 70,000 health practices and practitioners across Australia. Through its website and mobile phone app platforms, HealthEngine provides access to its online directory and an online booking system that enables Patients to book consultations with Health Practices.

HealthEngine is an Australian digital health success story. According to the Federal Court, it derived revenue of $17 million in the 2018 Financial Year (and made a net loss of over $13 million).

It derives revenue from ‘new’ patients making online bookings with Participating Health Practices, referral fees from health insurance brokers and law firms, and from advertising.

According to its press release of 5 August 2020, more than 7 million people across Australian have made more than 30 million bookings on the HealthEngine platforms since 2007.

But it’s not all been smooth sailing. As it states in its press release of 20 August 2020: When the ACCC commenced proceedings against HealthEngine nearly a year ago, we acknowledged that our rapid early growth had sometimes outpaced our systems and processes and we sincerely apologised that we had not always met the high expectations of the community and our customers.

The failure to meet the high expectations of the community and our customers is a reference to three serious contraventions of the Australian Consumer Law (the ACL) which are described in Australian Competition and Consumer Commission v HealthEngine Pty Ltd [2020] FCA 1203 (20 August 2020), a judgment of Justice Yates in the Federal Court of Australia.

We analyse those contraventions in this article.

Contravention #1 Misleading Reviews/Testimonials

What was the misleading conduct?

Between 31 March 2015 and 1 March 2018, HealthEngine:

  1. Did not publish 17,000 reviews from patients in which they did not recommend the health practice they attended; and
  2. Edited a further 3,253 reviews, some by removing negative comments, others by making minor typographical or grammatical amendments, to make them more favourable to the health practice before publishing them on the platforms.
    For example: Actual review: The doctors are very good. However the delay at times is not satisfactory. Last visit I was waiting 2.5hrs! Edited review: The doctors are very good.

What were the contraventions?

The first was that it did not inform the patients that their reviews had been doctored in these ways. All HealthEngine did was to email to the Patient a hyperlink to the webpage on which the “review” was published and advised that the “review” may have been modified.

The second was that by publishing the Patient Reviews on the platforms, it represented that they were an accurate and genuine reflection of the Patient Reviews it had received, when they were misleading because of the modifications made.

The genuine reviews/testimonials representations constituted misleading conduct which contravened s 18 of the ACL, and were misleading representations as to the standard, quality, value or grade of the services, which contravened s 29(1)(b) of the ACL.

What was the penalty?

In the absence of evidence of financial loss to consumers or evidence of the financial gain to HealthEngine, and the fact that the ACCC accepted that HealthEngine’s senior management did not intend to breach the ACL, and the co-operation with the ACCC, the Court imposed a penalty of $1.2 million.

Note: HealthEngine no longer publishes reviews/testimonials.

Contravention #2 Misleading Ratings Conduct

What was the misleading conduct?

Between 31 March 2015 and 1 March 2018, HealthEngine:

  1. Conducted surveys which included the Ratings Question, designed to ascertain whether the Patient would recommend the Health Practice to others; and
  2. If the Health Practice had opted to participate, would publish a percentage or a number and image of a star (for example, 4.9*) on the platforms based on responses; and
  3. Did not publish a practice rating for Health Practices if the rating was below 80%. Instead, it published that there was no rating on the platforms; and
  4. For Participating Health Practices that had a no-rating notation, HealthEngine attached a hover link to that notation which was “There is currently insufficient date to calculate a patient satisfaction level”.

What were the contraventions?

By publishing the no-rating notation in combination with the hover link, HealthEngine represented that it had not received sufficient feedback from Patients to calculate and publish a rating, when it had sufficient feedback to publish a practice rating but chose not to do so because the rating was less than 80%.

This conduct was likely to create a more positive or favourable impression in the minds of consumers who used the platforms to find a suitable Health Practice.

The insufficient feedback representations constituted misleading conduct which contravened s 18 of the ACL, and were misleading representations that purport to be a testimonial by any person relating to goods or services, which contravened s 29(1)(e) of the ACL.

What was the penalty?

In the absence of evidence of financial loss to consumers or evidence of the financial gain to HealthEngine, and the fact that the ACCC accepted that HealthEngine’s senior management did not intend to breach the ACL, and the co-operation with the ACCC, the Court imposed a penalty of $300,000.

Note: HealthEngine no longer publishes ratings for Health Practices.

Contravention #3 Misleading Personal Information Use / Privacy breaches

What was the misleading conduct?

Between 30 April 2014 and 30 June 2018, HealthEngine:

  1. Collected non-clinical personal information (name, phone number, email address, date or year of birth, appointment time, type of health care practice for the appointment and whether or not the Patient had private health insurance);
  2. For Patients who answered “yes” to the question:
    Would you like a free call from our private health insurance experts to ensure you’re not paying more than you should be? and who booked an appointment with a Health Practice using the platforms, HealthEngine would send the Patient’s non-clinical personal information to one of nine different private health insurance brokers with which it had referral fee arrangements.

What were the contraventions?

Using language which did not make it adequately clear that:

  1. A third party insurance broker (rather than HealthEngine) would provide the relevant services (such as a health insurance comparison) to Patients; and
  2. If the Patient answered “yes” to the question, the Patient’s non-clinical personal information would be sent to one of the health insurance brokers.

This conduct was liable or likely to cause Patients to believe that HealthEngine provided health insurance-related services, when it did not. And it was deceptive because no Patient consent was given (by answering the question “yes”) to HealthEngine to send their non-clinical personal information to a health insurance broker.

Over a period of 4 years, non-clinical information of approximately 135,000 Patients was disclosed to health insurance brokers who used the information to contact the Patients about private health insurance.

The referral representations constituted misleading conduct which contravened s 18 of the ACL, and were misleading as to the nature, the characteristics and/or suitability for their purpose of any services, which contravened s 34 of the ACL.

What was the penalty?

In the absence of evidence of financial loss to consumers, the fact that referral revenue received was $1,835,336 (offset by costs of $1,335,524), and the fact that the ACCC accepted that HealthEngine’s senior management did not intend to breach the ACL, and the co-operation with the ACCC, the Court imposed a penalty of $1.4 million.

Note: HealthEngine now makes this statement in its privacy policy: You can be assured that everyone at HealthEngine is committed to protecting and respecting your privacy.

Conclusions

The total pecuniary penalty imposed under s 224(1)(a)(ii) of the ACL was $2.9 million. It is payable by instalments of $750,000 within 6 months, $750,000 within 12 months, $700,000 within 18 months and $700,000 within 24 months.

In addition, HealthEngine was ordered to have a qualified independent compliance professional review its existing ACL compliance program annually for the next 3 years; and to contact all Patients whose personal information was provided to an insurance broker using an approved notification; and to pay the ACCC’s legal costs fixed in the amount of $50,000.

Understandably, the ACCC gives this warning in its media release: “These penalties and other orders should serve as an important reminder to all businesses that if they are not upfront with how they will use consumers’ data, they risk breaching the Australian Consumer Law,” ACCC Chair Rod Sims said.

This same warning could have been given by the Australian Information Commissioner of potential for breaches of the Australian Privacy Principles. The Commissioner did not join these proceedings which indicates that they are content to allow the ACCC to prosecute privacy breaches, where there has been a breach of the Australian Consumer Law.

© Copyright 2020 Cordato Partners