HealthEngine has made bad mistakes and mishandled its response to its patient data handling crisis, but the timing of the ACCC action against the company and the tone of its attack feel very convenient


Less than a year ago the health practice appointments platform Health Engine was a market leader and a market darling, by a fair margin. Having completed a funding round with a large global VC for $27m, and with strong growth in all its numbers it was by any measure the most successful health tech start up in the country.

Last week the ACCC launched a very pointed and very public attack on the group, as part of its follow up to a series of revelations almost a year before about how the company treated data it was collecting from patients, for reviews of practices, and for use by upstream services providers, primarily, health insurers.

Following the revelations last year Health Engine didn’t exactly cover themselves in PR crisis management glory. CEO, Dr Marcus Tan is bright, talented, driven, and by all accounts, not the Mark Zuckerberg of Australian digital health tech. But he did play some Facebook-like cards following the initial crisis last year. Caught off guard, he initially denied some of the allegations being made against the company, which later proved to be true. He then set about apologising in a manner that any PR professional could have told him was not the way to go. It was drip feed admissions and never a rip the band off approach.

From saying they published only positive reviews because it wanted to celebrate high-performing GP practices they stepped down to saying they did not mean to mislead readers and had realised it could do things better.

Then they took the decision to close down a whole part of their business model caught up in the controversy suggesting they did it because “it was confusing to customers”. With a slow cascade of admissions, even if they had made this decision for the better servicing of customers, most people weren’t buying the line. A lot of damage was likely done in terms of trust, most especially with owners of medical practices and doctors, whose working life revolves around patient-doctor trust and consent.

If you read the ACCC statement, it immediately has a strong feel of making an example of HealthEngine.

“Issues of transparency and adequate disclosure when digital platforms collect and use consumer data is one of the top priorities at the ACCC,” Sims said.

“Businesses who are not upfront with how they will use consumer data may risk breaching the Australian Consumer Law and face action from the ACCC.”

The key allegations by the ACCC are that HealthEngine:

  • Chose to not publish negative reviews with an intent of misleading patients (17,000)
  • Altered negative reviews and published them with the same intent (3000)
  • Misled patients (135,000) into giving their permission to be contacted for further health insurance information

The ACCC release says that such conduct was knowingly misleading and deceptive. The ACCC boss says in the press release:

“The ACCC considers that the alleged conduct by HealthEngine is particularly egregious because patients would have visited doctors at their time of need based on manipulated reviews that did not accurately reflect the experience of other patients.”

It’s not really surprising that the release was followed by a flood of both consumer and specialist medical media reporting (including from us) which picked up the ACCC tone, and pretty much condemned the company prior to any findings of the actual ACCC court proceedings. Some even amplified some aspects of the case to imply significantly more wrongdoing where not even the ACCC was alleging wrongdoing. For example, “HealthEngine Sued for Allegedly Selling Patient Data”, was a headline in the Australian Financial Review which does have ‘egregious’ implications.  But the selling of patient data was never a point of contention or the subject of action. The ACCC case in this matter examines the question of whether patients who had opted in to receive further health insurance information, were misled as to whether this information would be supplied by a third party, not HealthEngine itself.

If that seems pedantic, given the nature of the overall allegations against HealthEngine it’s informative to look at the key allegations, and the HealthEngine position on what actually happened. We are not condoning HealthEngine’s practices here, just trying to clarify why the ACCC has come out so hard against the company and whether that position is warranted.

Allegation 1: ‘chose not to publish 17,000 negative reviews with an intent to mislead’

HealthEngine documented publically and in detail well before this scandal broke why they were not publishing negative reviews. This publication wrote a story about the practice and explained in detail the company’s methodology and position . That position was that:

  • They collected reviews as a part of their service and most of them were positive
  • They wanted a means of their practices being recognised for this so they set up a review system that had a cut off at a certain score. Below that score a practice did not get a rating. You had to have enough good reviews to make it onto the rating service. Over 80% of the practices made it. Those that didn’t, it was felt by HealthEngine, would be encouraged by them not making the publish status to do better. All the reviews positive and negative were supplied to all the practices.
  • The whole idea according to Dr Tan when we interviewed him was to show the positive feedback of practices to celebrate and help those practices and encourage those with below par scores to improve their customer service.

Whether you agree with the system or not, if you believe HealthEngine’s intent, it is not deliberately to mislead, particularly given the methodology and concept was public information.  It might be seen as naïve however, for various reasons.

Allegation 2: Altered negative reviews and published them with the same intent (3000)

HealthEngine does not deny this allegation and has apologised for the practice. But a bit of further context helps understand how this could have happened. Firstly, HealthEngine at the time had published some 100,000 reviews. 3,000 were altered, so 3% in total were altered. HealthEngine claims that these reviews were all mainly by one moderator who wasn’t following their guidelines and they weren’t aware that the reviews were being altered that way and posted. At the time the scandal broke, the reviews were four years old and had been sitting in the system for that long unnoticed.

None of that is good on the part of HealthEngine. But it is feasible that this was not done with intent as is being alleged.

Allegation 3: Misled patients (135,000) into giving their permission to be contacted for further health insurance information

There is no contention that HealthEngine obtained permission from clients to receive further information on health insurance.  If you follow the prompts through the HealthEngine opt in for clients, it’s very clear that you are choosing for someone to send  you  more information about health insurance comparisons. The ACCC case is that HealthEngine didn’t make it clear enough to consumers that this information and the subsequent contact would be from third parties. It will be interesting to see of that 135,000 customers how many actually complained along those lines. What if no one did? How would the ACCC see that as being misleading?

HealthEngine’s breaches, though not excusable, aren’t anywhere near as bad as breaches by much more powerful institutions and companies (the banks, insurance companies, superannuation companies, global digital platforms and the like) which are able to defend themselves via relative positions in Canberra and State Parliament, and with better funded PR advisors and marketing.

iSelect and Trivago are two giant brands which didn’t seem to flinch in the consumer world though they are both being dragged to court for far more serious breaches than HealthEngine.

Unfortunately for HealthEngine, it is a small target in a very big game now, and its timing could hardly have been worse. Just following the banking and insurance industry enquiries, and amid the release of the ACCCs digital platforms enquiry.

Facebook, Google, Amazon and Apple are all in the sights of the ACCC  in this inquiry now but what has been done to them thus far? Nothing. And what is likely to happen to them for what almost everyone recognises these days are truly egregious treatment of consumer data? Time will tell, but in the mean time it can’t be hurting the ACCC to look so tough with the likes of HealthEngine. HealthEngine is a safe target.

HealthEngine has not managed this situation well. It has made some serious mistakes. And not handled its responses and communication around those mistakes very well. But it has apologised and it has tried to explain. Is it an ‘egregious, deceptive and misleading service provider’? Or are there other machinations at play here?