Australia largest medical booking service, HealthEngine, shared private medical data with law firms specializing in personal injury, the ABC reported on Monday.
A pilot referral program passed an average of 200 potential clients a month from HealthEngine to the law firm Slater and Gordon last year, between March and August, the broadcaster reported.
HealthEngine maintains that the sharing, which marketers refer to as lead generation, was done with users' consent. But the ABC reports that users have no way to opt out of their data being collected or shared in this manner.
HealthEngine CEO Marcus Tan, in a statement published on the company's website Monday, says that his company previously provided information to law firms with consent, but now has "no referral arrangements in place with marketing agencies or law firms."
However, HealthEngine does "have referral arrangements in place with a range of industry partners including government, not for profit, medical research, private health insurance and other health service providers on a strictly opt-in basis," Tan writes.
The ABC's story has caused a stir, both amongst consumers who have used the booking service and medical professionals.
"Patients trust doctors," writes Vyom Sharma, a general practitioner based in Melbourne, Australia. "We should take control of appointments through a centralized, connected system that won't sell details to 3rd parties. HealthEngine etc. are a Faustian deal. Patients lose personal info, clinics relinquish price control."
Ines Rio, a general practitioner and chair of the North Western Melbourne Primary Health Network, writes: "This is disgraceful. I've asked my practice manager to remove the ability to book appointments for me off HealthEngine."
The Office of the Australian Information Commissioner, which enforces the country's Privacy Act, tells Information Security Media Group that it "is aware of media reports regarding the app HealthEngine, and is making enquiries with HealthEngine about the details of those reports."
Fully Informed Consent?
HealthEngine, started in 2006 and based in Perth, Australia, is an online booking platform for consumers and a booking engine for medical practices. The company says it connects 1 million patients a month with some 8,000 health practitioners. The service is free for patients, and it offers a paid-for booking platform for practices.
HealthEngine also says it may "disclose de-identified information of our users to third parties for analysis, research and quality assurance purposes."
Tan's statement included an example screenshot of the pop-up that HealthEngine displays to gain a user's consent.
HealthEngine says this is the opt-in dialog box that asks for consent.
"There's a term for this disgraceful behavior where you either consent to loss of privacy or don't get the service - it's called bundled consent, and it's time it was outlawed," writes Greens Party MP David Shoebridge on Twitter.
Electronic Frontiers Australia, a digital rights watchdog, criticized HealthEngine in a statement, alleging it shares data on the "flimsiest pretense of patient consent."
"If this ethically dubious behavior is technically legal, then Australia's privacy legislation must be changed," says Justin Warren, who is an Electronic Frontiers Australia board member.
As part of the registration and booking process, HealthEngine asks for a variety of sensitive information, "including whether they have suffered a workplace injury or been in a traffic accident," the ABC reported.
The ABC reported that it viewed secret documents showing that the Sydney-based law firm Bannister Law held a contract to pass on referrals from HealthEngine. The law firm Slater and Gordon received the HealthEngine referrals from Bannister Law, it reported.
In a statement, Slater and Gordon says it ensures marketing activity it undertakes "is compliant with applicable laws."
The firm adds: "Slater and Gordon has acted and continues to act in accordance with all its legal and ethical obligations regarding its marketing activities."
Many HealthEngine users have expressed surprise at the ABC's report and HealthEngine's background trade in data.
"The really shit thing about @healthengine hawking my data, is that it didn't even occur to me that my data was the product," writes Chris Cook, a web application developer based in the Australian city of Canberra. "They're embedded in my GP's website as an iframe (with minimal branding), leveraging my trust in my GP to get my data."
"I've used @healthengine," writes Ron Baumann of Sydney in a tweet that subsequently appears to have been deleted. "The site makes it perfectly clear they pass personal info on. Only an absolute idiot could miss that. People can choose either to agree or not. Move on. Nothing to see here."
The ABC reports that HealthEngine's mobile app contains a "collection statement" that in part says if users consent, their information can be passed on to private health insurance comparison services, credit services for cosmetic and dental procedures and legal service providers.
But the broadcaster contends that "there is no opportunity to opt out of terms in the collection statement if patients want to use the app."
HealthEngine disputes this. While efforts by ISMG to reach officials at HealthEngine were unsuccessful, the company has been busy on Twitter trying to respond to users' queries, via identical statements that contest the ABC's assertions.
HealthEngine's response reads: "Contrary to the ABC report's suggestion, consent to these referrals is not hidden in our policies but obtained through a simple pop-up form at the time of booking or provided verbally to a HealthEngine consultant.
"Users are able to continue to use our booking services even if they do not provide their express consent to being contacted by a referral partner through the pop-up form," HealthEngine writes. "Hope this has helped clarify things."
Source : https://www.bankinfosecurity.com/australias-healthengine-caught-in-data-sharing-fiasco-a-11134