In early August 2019, the Australian Competition and Consumer Commission (ACCC) took HealthEngine to Court for allegedly misusing patient data and manipulating reviews. The ACCC is the regulatory body that enforces consumer protection laws and takes action against businesses who engage in misleading and anti-competitive conduct.  

HealthEngine admitted misconduct, and on 20 August 2020, the ACCC ordered them to:

  • pay a $2.9 million fine;
  • submit to ongoing independent reviews of its consumer law compliance plan; 
  • contact affected users to explain what had happened and assist them in regaining control of their personal information; and
  • pay the ACCC’s costs for bringing the proceedings.  

This article will explain the key lessons from the HealthEngine decision so that you do not make the same mistakes for your business.

Who is HealthEngine?

HealthEngine is a well-known online platform that allows users to make bookings with health practices and practitioners. It also allows them to leave reviews about their experiences receiving those services.

The online platform has considerable reach, and is supposedly used by over one million consumers a month and provides those users with access to over 70,000 health practices and practitioners.

Previously, users of HealthEngine were able to access reviews provided by other users about the quality and service that they received. Where available, they have now limited to an indication of the percentage of users that would recommend the service. This percentage is based on the number of reviews received by HealthEngine.

What Was the Issue?

There were three key issues that the ACCC called out.

They claimed that HealthEngine had:

  1. manipulated the reviews of users that is published on the platform; 
  2. misrepresented to users why a rating was not published for some health practices; and
  3. disclosed the personal information of users of the platform to health insurance brokers for a fee without making this sufficiently clear to those users.

What Misconduct Did the ACCC Find?

In relation to the manipulation of reviews, HealthEngine admitted that over almost three years, approximately:

  • 17,000 reviews were not published; and
  • 3,000 reviews were edited by adding improvements or removing the parts that were negative. 

This and the misrepresentation as to why a rating was not published, were considered issues by the ACCC because users may have visited certain health practices and practitioners based on reviews that did not accurately reflect the users’ experiences. 

On the disclosure of information, HealthEngine admitted that over a period of almost four years, it earnt more than $1.8 million by giving the non-clinical personal information of over 135,000 users to health insurance brokers. This information included:

  • names;
  • dates of birth;
  • phone numbers; and
  • email addresses.

The ACCC’s concern here was that this disclosure happened without HealthEngine properly informing users that they would use their information in this way. This made it a misuse or use of data that could result in consumer harm.  

What Does the Decision Mean for You?

This HealthEngine decision serves as a reminder that if you allow users to make and view other users’ reviews, you should be careful about how you manage and present these reviews. This includes where your business is an online marketplace, and the reviews are about services other than your own.

For example, these reviews may be about third-party services which are listed on your platform.

It is also a warning from the ACCC that misuse of information is not just a privacy issue. It is also a consumer law issue that the ACCC is actively pursuing with very tough consequences for wrongdoers. This is in line with the ACCC’s Digital Platforms Inquiry, which recommended introducing certain General Data Protection Regulation (GDPR) principles into Australian privacy law. These include stronger notification requirements when businesses collect personal data.

Tips for Managing Online Reviews

The ACCC has a lot of useful information on its website about how to manage online reviews. Key points include that you should:

  • ensure the reviews are genuine;
  • make it clear to viewers what reviews are (and are not) visible;
  • avoid editing reviews in any way that may be deceptive or misleading;
  • restrict people from leaving a review for services they have not used or that they have not used recently (for example, within the last month or so); 
  • encourage reviewers to be honest, specific and factual in their reviews; and
  • ensure that reviewers reveal any biases (for example, if they are receiving payment to provide the review).

Tips for Avoiding Misuse of Data

Find out whether you are an Australian Privacy Principle (APP) entity. An APP entity is any sole trader, partnership, trust, company or unincorporated association that has:

If you are an APP entity, you must make sure that you are compliant with Australian privacy laws (including the Australian Privacy Principles).

Even where you are not an APP entity, it is good practice to:

  • be upfront and clear about what personal information you are collecting;
  • how you are collecting the information; and
  • what you will do with this personal information.

This is also a great way to gain the trust of your customers.

An easy way to achieve this transparency is through a privacy policy. Alternatively, when collecting any personal information, you could provide a notice to the person you are doing so. Here, you need to outline: 

  • why you are collecting the information; and 
  • what you are planning on doing with it.

If you have a privacy policy, you should review it to make sure that it is clear, accurate and up to date. Where a privacy policy is not clear, accurate or up to date, there is a risk that it could be misleading.

Key Takeaways

A huge fine for HealthEngine shows that the ACCC is serious about making the misuse of information a consumer law issue, and preventing consumers from misleading conduct. If you have any questions or would like to know more about whether your business is compliant, get in touch with LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

COVID-19 Business Survey
LegalVision is conducting a survey on the impact of COVID-19 for businesses across Australia. The survey takes 2 minutes to complete and all responses are anonymous. We would appreciate your input. Take the survey now.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. For just $199 per month, membership unlocks unlimited lawyer consultations, faster turnaround times, free legal templates and members-only discounts.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.
Our Awards
  • 2019 Top 25 Startups - LinkedIn 2019 Top 25 Startups - LinkedIn
  • 2019 NewLaw Firm of the Year - Australian Law Awards 2019 NewLaw Firm of the Year - Australian Law Awards
  • 2020 Fastest Growing Law Firm - Financial Times APAC 500 2020 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review 2020 AFR Fast 100 List - Australian Financial Review
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards 2020 Law Firm of the Year Finalist - Australasian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer 2019 Most Innovative Firm - Australasian Lawyer
Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at

View Privacy Policy