Skip to content

What Are the Key Lessons From the HealthEngine Decision?

In early August 2019, the Australian Competition and Consumer Commission (ACCC) took HealthEngine to Court for allegedly misusing patient data and manipulating reviews. The ACCC is the regulatory body that enforces consumer protection laws and takes action against businesses who engage in misleading and anti-competitive conduct.  

HealthEngine admitted misconduct, and on 20 August 2020, the ACCC ordered them to:

  • pay a $2.9 million fine;
  • submit to ongoing independent reviews of its consumer law compliance plan; 
  • contact affected users to explain what had happened and assist them in regaining control of their personal information; and
  • pay the ACCC’s costs for bringing the proceedings.  

This article will explain the key lessons from the HealthEngine decision so that you do not make the same mistakes for your business.

Who is HealthEngine?

HealthEngine is a well-known online platform that allows users to make bookings with health practices and practitioners. It also allows them to leave reviews about their experiences receiving those services.

The online platform has considerable reach, and is supposedly used by over one million consumers a month and provides those users with access to over 70,000 health practices and practitioners.

Previously, users of HealthEngine were able to access reviews provided by other users about the quality and service that they received. Where available, they have now limited to an indication of the percentage of users that would recommend the service. This percentage is based on the number of reviews received by HealthEngine.

What Was the Issue?

There were three key issues that the ACCC called out.

They claimed that HealthEngine had:

  1. manipulated the reviews of users that is published on the platform; 
  2. misrepresented to users why a rating was not published for some health practices; and
  3. disclosed the personal information of users of the platform to health insurance brokers for a fee without making this sufficiently clear to those users.
Continue reading this article below the form
Loading form

What Misconduct Did the ACCC Find?

In relation to the manipulation of reviews, HealthEngine admitted that over almost three years, approximately:

  • 17,000 reviews were not published; and
  • 3,000 reviews were edited by adding improvements or removing the parts that were negative. 

This and the misrepresentation as to why a rating was not published, were considered issues by the ACCC because users may have visited certain health practices and practitioners based on reviews that did not accurately reflect the users’ experiences. 

On the disclosure of information, HealthEngine admitted that over a period of almost four years, it earnt more than $1.8 million by giving the non-clinical personal information of over 135,000 users to health insurance brokers. This information included:

  • names;
  • dates of birth;
  • phone numbers; and
  • email addresses.

The ACCC’s concern here was that this disclosure happened without HealthEngine properly informing users that they would use their information in this way. This made it a misuse or use of data that could result in consumer harm.  

What Does the Decision Mean for You?

This HealthEngine decision serves as a reminder that if you allow users to make and view other users’ reviews, you should be careful about how you manage and present these reviews. This includes where your business is an online marketplace, and the reviews are about services other than your own.

For example, these reviews may be about third-party services which are listed on your platform.

It is also a warning from the ACCC that misuse of information is not just a privacy issue. It is also a consumer law issue that the ACCC is actively pursuing with very tough consequences for wrongdoers. This is in line with the ACCC’s Digital Platforms Inquiry, which recommended introducing certain General Data Protection Regulation (GDPR) principles into Australian privacy law. These include stronger notification requirements when businesses collect personal data.

Tips for Managing Online Reviews

The ACCC has a lot of useful information on its website about how to manage online reviews. Key points include that you should:

  • ensure the reviews are genuine;
  • make it clear to viewers what reviews are (and are not) visible;
  • avoid editing reviews in any way that may be deceptive or misleading;
  • restrict people from leaving a review for services they have not used or that they have not used recently (for example, within the last month or so); 
  • encourage reviewers to be honest, specific and factual in their reviews; and
  • ensure that reviewers reveal any biases (for example, if they are receiving payment to provide the review).

Tips for Avoiding Misuse of Data

Find out whether you are an Australian Privacy Principle (APP) entity. An APP entity is any sole trader, partnership, trust, company or unincorporated association that has:

If you are an APP entity, you must make sure that you are compliant with Australian privacy laws (including the Australian Privacy Principles).

Even where you are not an APP entity, it is good practice to:

  • be upfront and clear about what personal information you are collecting;
  • how you are collecting the information; and
  • what you will do with this personal information.

This is also a great way to gain the trust of your customers.

An easy way to achieve this transparency is through a privacy policy. Alternatively, when collecting any personal information, you could provide a notice to the person you are doing so. Here, you need to outline: 

  • why you are collecting the information; and 
  • what you are planning on doing with it.

If you have a privacy policy, you should review it to make sure that it is clear, accurate and up to date. Where a privacy policy is not clear, accurate or up to date, there is a risk that it could be misleading.

Key Takeaways

A huge fine for HealthEngine shows that the ACCC is serious about making the misuse of information a consumer law issue, and preventing consumers from misleading conduct. If you have any questions or would like to know more about whether your business is compliant, get in touch with LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Adeline Brosnan

Adeline Brosnan

Read all articles by Adeline

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards