Reading time: 6 minutes

In early August 2019, the Australian Competition and Consumer Commission (ACCC) took HealthEngine to Court for allegedly misusing patient data and manipulating reviews. The ACCC is the regulatory body that enforces consumer protection laws and takes action against businesses who engage in misleading and anti-competitive conduct.  

HealthEngine admitted misconduct, and on 20 August 2020, the ACCC ordered them to:

  • pay a $2.9 million fine;
  • submit to ongoing independent reviews of its consumer law compliance plan; 
  • contact affected users to explain what had happened and assist them in regaining control of their personal information; and
  • pay the ACCC’s costs for bringing the proceedings.  

This article will explain the key lessons from the HealthEngine decision so that you do not make the same mistakes for your business.

Who is HealthEngine?

HealthEngine is a well-known online platform that allows users to make bookings with health practices and practitioners. It also allows them to leave reviews about their experiences receiving those services.

The online platform has considerable reach, and is supposedly used by over one million consumers a month and provides those users with access to over 70,000 health practices and practitioners.

Previously, users of HealthEngine were able to access reviews provided by other users about the quality and service that they received. Where available, they have now limited to an indication of the percentage of users that would recommend the service. This percentage is based on the number of reviews received by HealthEngine.

What Was the Issue?

There were three key issues that the ACCC called out.

They claimed that HealthEngine had:

  1. manipulated the reviews of users that is published on the platform; 
  2. misrepresented to users why a rating was not published for some health practices; and
  3. disclosed the personal information of users of the platform to health insurance brokers for a fee without making this sufficiently clear to those users.

What Misconduct Did the ACCC Find?

In relation to the manipulation of reviews, HealthEngine admitted that over almost three years, approximately:

  • 17,000 reviews were not published; and
  • 3,000 reviews were edited by adding improvements or removing the parts that were negative. 

This and the misrepresentation as to why a rating was not published, were considered issues by the ACCC because users may have visited certain health practices and practitioners based on reviews that did not accurately reflect the users’ experiences. 

On the disclosure of information, HealthEngine admitted that over a period of almost four years, it earnt more than $1.8 million by giving the non-clinical personal information of over 135,000 users to health insurance brokers. This information included:

  • names;
  • dates of birth;
  • phone numbers; and
  • email addresses.

The ACCC’s concern here was that this disclosure happened without HealthEngine properly informing users that they would use their information in this way. This made it a misuse or use of data that could result in consumer harm.  

What Does the Decision Mean for You?

This HealthEngine decision serves as a reminder that if you allow users to make and view other users’ reviews, you should be careful about how you manage and present these reviews. This includes where your business is an online marketplace, and the reviews are about services other than your own.

For example, these reviews may be about third-party services which are listed on your platform.

It is also a warning from the ACCC that misuse of information is not just a privacy issue. It is also a consumer law issue that the ACCC is actively pursuing with very tough consequences for wrongdoers. This is in line with the ACCC’s Digital Platforms Inquiry, which recommended introducing certain General Data Protection Regulation (GDPR) principles into Australian privacy law. These include stronger notification requirements when businesses collect personal data.

Tips for Managing Online Reviews

The ACCC has a lot of useful information on its website about how to manage online reviews. Key points include that you should:

  • ensure the reviews are genuine;
  • make it clear to viewers what reviews are (and are not) visible;
  • avoid editing reviews in any way that may be deceptive or misleading;
  • restrict people from leaving a review for services they have not used or that they have not used recently (for example, within the last month or so); 
  • encourage reviewers to be honest, specific and factual in their reviews; and
  • ensure that reviewers reveal any biases (for example, if they are receiving payment to provide the review).

Tips for Avoiding Misuse of Data

Find out whether you are an Australian Privacy Principle (APP) entity. An APP entity is any sole trader, partnership, trust, company or unincorporated association that has:

If you are an APP entity, you must make sure that you are compliant with Australian privacy laws (including the Australian Privacy Principles).

Even where you are not an APP entity, it is good practice to:

  • be upfront and clear about what personal information you are collecting;
  • how you are collecting the information; and
  • what you will do with this personal information.

This is also a great way to gain the trust of your customers.

An easy way to achieve this transparency is through a privacy policy. Alternatively, when collecting any personal information, you could provide a notice to the person you are doing so. Here, you need to outline: 

  • why you are collecting the information; and 
  • what you are planning on doing with it.

If you have a privacy policy, you should review it to make sure that it is clear, accurate and up to date. Where a privacy policy is not clear, accurate or up to date, there is a risk that it could be misleading.

Key Takeaways

A huge fine for HealthEngine shows that the ACCC is serious about making the misuse of information a consumer law issue, and preventing consumers from misleading conduct. If you have any questions or would like to know more about whether your business is compliant, get in touch with LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.


Australia’s Global Talent Visa: How to Attract Top Talent

Thursday 7 October | 11:00 - 11:45am

Understand how to navigate Australia’s complex migration system to attract top overseas talent with our free webinar.
Register Now

5 Essential Contracts for your Online Business

Thursday 14 October | 11:00 - 11:45am

Learn which key contracts will best protect your online business with our free webinar.
Register Now

Key Considerations When Buying a Business

Thursday 11 November | 11:00 - 11:45am

Learn which questions to ask when buying a business to avoid legal and operational pitfalls, so you can hit the ground running. Join our free webinar.
Register Now

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer